Play interactive tour

Edit tour

Analysis Report DUBAI CHEMEX REGA.exe

Overview

General Information

Sample Name:	DUBAI CHEMEX REGA.exe
Analysis ID:	385489
MD5:	7a7078e03fd2fee66b7436da7222d2e0
SHA1:	03f9dd35d1d16d69da789e8e1e0119f0163adaae
SHA256:	b655965e57f392a0c5d82d2f248d432575b4f7092fa87a8bd868e56e6e32d546
Tags:	AgentTeslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Contains functionality to register a low level keyboard hook

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

DUBAI CHEMEX REGA.exe (PID: 6900 cmdline: 'C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe' MD5: 7A7078E03FD2FEE66B7436DA7222D2E0)

DUBAI CHEMEX REGA.exe (PID: 3120 cmdline: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe MD5: 7A7078E03FD2FEE66B7436DA7222D2E0)

AlxpSuW.exe (PID: 6564 cmdline: 'C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe' MD5: 7A7078E03FD2FEE66B7436DA7222D2E0)

AlxpSuW.exe (PID: 7044 cmdline: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe MD5: 7A7078E03FD2FEE66B7436DA7222D2E0)

AlxpSuW.exe (PID: 7000 cmdline: 'C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe' MD5: 7A7078E03FD2FEE66B7436DA7222D2E0)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "kishore@satguruclearing.comsatguru@9939*webmail.satguruclearing.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.665376821.0000000004579000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.746129783.00000000039B8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.909140573.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.909153388.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DUBAI CHEMEX REGA.exe PID: 3120	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DUBAI CHEMEX REGA.exe PID: 3120	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AlxpSuW.exe PID: 7044	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AlxpSuW.exe PID: 7044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: DUBAI CHEMEX REGA.exe PID: 6900	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: DUBAI CHEMEX REGA.exe PID: 6900	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: AlxpSuW.exe PID: 6564	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: AlxpSuW.exe PID: 6564	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.AlxpSuW.exe.3a3edf8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.DUBAI CHEMEX REGA.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.AlxpSuW.exe.3a3edf8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUBAI CHEMEX REGA.exe.45fedf8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUBAI CHEMEX REGA.exe.45fedf8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
10.2.AlxpSuW.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.AlxpSuW.exe.39d27d8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.DUBAI CHEMEX REGA.exe.45927d8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 4.2.DUBAI CHEMEX REGA.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "kishore@satguruclearing.comsatguru@9939*webmail.satguruclearing.com"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe

ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Show sources

Source: DUBAI CHEMEX REGA.exe

ReversingLabs: Detection: 25%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: DUBAI CHEMEX REGA.exe

Joe Sandbox ML: detected

Source: 4.2.DUBAI CHEMEX REGA.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 10.2.AlxpSuW.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source: DUBAI CHEMEX REGA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DUBAI CHEMEX REGA.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0EC83C30
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0EC83CF8
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0EC83C19
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	9_2_06DC3C30
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	9_2_06DC3CF8
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	9_2_06DC3C19
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	9_2_06DC4110

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49763 -> 208.91.199.135:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 208.91.199.135:587

Source: global traffic

TCP traffic: 192.168.2.4:49763 -> 208.91.199.135:587

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: global traffic

TCP traffic: 192.168.2.4:49763 -> 208.91.199.135:587

Source: unknown

DNS traffic detected: queries for: webmail.satguruclearing.com

Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	String found in binary or memory: http://fhHdHb.com
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664563832.000000000339A000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741183439.00000000027DC000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664563832.000000000339A000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741183439.00000000027DC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.911837506.0000000002EFC000.00000004.00000001.sdmp	String found in binary or memory: http://webmail.satguruclearing.com
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.668995974.000000000638A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.668995974.000000000638A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comue
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.646661565.000000000639B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.646602465.000000000639B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.648227085.0000000006391000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnLog
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.648227085.0000000006391000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnrig)E
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000000.00000003.649849888.000000000638C000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000000.00000003.649977429.0000000006386000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.~6M
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/5~
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649849888.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649849888.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/C~
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649977429.0000000006386000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Q~)M
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649754673.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0o
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/dd8
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/e~
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000000.00000003.649849888.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649754673.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.~6M
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649754673.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/5~
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649527166.0000000006383000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/l~
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: DUBAI CHEMEX REGA.exe, 00000000.00000003.647546366.000000000639B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comym
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.911770163.0000000002EDC000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000004.00000003.862456569.0000000000D84000.00000004.00000001.sdmp	String found in binary or memory: https://Ii19E5Eebc4fe8K8ng5D.com
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%
Source: AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.665376821.0000000004579000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000004.00000002.909140573.0000000000402000.00000040.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.746129783.00000000039B8000.00000004.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.909153388.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to register a low level keyboard hook

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Code function: 4_2_01010BE0 SetWindowsHookExW 0000000D,00000000,?,?

4_2_01010BE0

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Jump to behavior

Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.663766023.0000000001550000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 4.2.DUBAI CHEMEX REGA.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3A1953CEu002d913Fu002d4F9Au002dB9F7u002dB5A04C8C3548u007d/u003469103C2u002d05CBu002d457Au002dAA60u002d2FD346117A8C.cs	Large array initialization: .cctor: array initializer size 11946
Source: 10.2.AlxpSuW.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3A1953CEu002d913Fu002d4F9Au002dB9F7u002dB5A04C8C3548u007d/u003469103C2u002d05CBu002d457Au002dAA60u002d2FD346117A8C.cs	Large array initialization: .cctor: array initializer size 11946

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA86B8 NtQueryInformationProcess,		0_2_07CA86B8
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA86B0 NtQueryInformationProcess,		0_2_07CA86B0

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_019BDB4C	0_2_019BDB4C
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_019BC3A0	0_2_019BC3A0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_019BE213	0_2_019BE213
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_019BA758	0_2_019BA758
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA0EB0	0_2_07CA0EB0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA0500	0_2_07CA0500
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA1D01	0_2_07CA1D01
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA8471	0_2_07CA8471
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA9948	0_2_07CA9948
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA7928	0_2_07CA7928
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA3FA8	0_2_07CA3FA8
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA3FB8	0_2_07CA3FB8
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA0EA2	0_2_07CA0EA2
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA45C0	0_2_07CA45C0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA45D0	0_2_07CA45D0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA9D58	0_2_07CA9D58
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA1D6A	0_2_07CA1D6A
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA2CE8	0_2_07CA2CE8
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA2CF8	0_2_07CA2CF8
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA04F0	0_2_07CA04F0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA0CA2	0_2_07CA0CA2
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA9C74	0_2_07CA9C74
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA3C00	0_2_07CA3C00
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA43E0	0_2_07CA43E0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA43F0	0_2_07CA43F0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA7BB8	0_2_07CA7BB8
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA2B00	0_2_07CA2B00
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA41C0	0_2_07CA41C0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA5180	0_2_07CA5180
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA5190	0_2_07CA5190
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA41B0	0_2_07CA41B0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA3908	0_2_07CA3908
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA7922	0_2_07CA7922
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA9937	0_2_07CA9937
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA38F9	0_2_07CA38F9
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC802AD	0_2_0EC802AD
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC8026A	0_2_0EC8026A
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC80202	0_2_0EC80202
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC8021B	0_2_0EC8021B
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC83CF8	0_2_0EC83CF8
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC80040	0_2_0EC80040
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC80011	0_2_0EC80011
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F7AA98	4_2_00F7AA98
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F72A28	4_2_00F72A28
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F74BC0	4_2_00F74BC0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F74FCC	4_2_00F74FCC
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F71D90	4_2_00F71D90
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F7DF24	4_2_00F7DF24
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F7BC60	4_2_00F7BC60
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F96890	4_2_00F96890
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F9E2B0	4_2_00F9E2B0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F93678	4_2_00F93678
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F95B30	4_2_00F95B30
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FE2040	4_2_00FE2040
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FE1C00	4_2_00FE1C00
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FE9D70	4_2_00FE9D70
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FE6A30	4_2_00FE6A30
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FE3FB8	4_2_00FE3FB8
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FE3CC9	4_2_00FE3CC9
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FE2081	4_2_00FE2081
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FE9020	4_2_00FE9020
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FEB5D0	4_2_00FEB5D0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FEDD08	4_2_00FEDD08
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FED3F0	4_2_00FED3F0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00FE6B67	4_2_00FE6B67
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_01011358	4_2_01011358
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_0101B230	4_2_0101B230
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F70040	4_2_00F70040
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06B60EB0	9_2_06B60EB0
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06B60500	9_2_06B60500
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_00F494A8	9_2_00F494A8
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_00F4DB4C	9_2_00F4DB4C
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_00F4C148	9_2_00F4C148
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_00F4E212	9_2_00F4E212
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_00F4A758	9_2_00F4A758
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06DC3CF8	9_2_06DC3CF8
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06DC02AD	9_2_06DC02AD
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06DC026A	9_2_06DC026A
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06DC021B	9_2_06DC021B
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06DC0202	9_2_06DC0202
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06DC0040	9_2_06DC0040
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06DC0007	9_2_06DC0007
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 10_2_030D46E0	10_2_030D46E0
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 10_2_030D360C	10_2_030D360C
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 10_2_030D4610	10_2_030D4610
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 10_2_030D4650	10_2_030D4650
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 10_2_030D4670	10_2_030D4670
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 10_2_030D53D0	10_2_030D53D0
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 10_2_030DDA40	10_2_030DDA40

Source: DUBAI CHEMEX REGA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: AlxpSuW.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.663766023.0000000001550000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.665376821.0000000004579000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.665376821.0000000004579000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLfPELLEPAheVvshnzUtYPtKgCCNRjmWTbvvQrd.exe4 vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664563832.000000000339A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.662435540.0000000000F40000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEventResetMode.exe: vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.670181231.00000000092F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.910320727.0000000000F60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000004.00000000.660758285.00000000008C0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEventResetMode.exe: vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.909140573.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameLfPELLEPAheVvshnzUtYPtKgCCNRjmWTbvvQrd.exe4 vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.909540597.0000000000CF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.915897760.0000000005F70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs DUBAI CHEMEX REGA.exe
Source: DUBAI CHEMEX REGA.exe	Binary or memory string: OriginalFilenameEventResetMode.exe: vs DUBAI CHEMEX REGA.exe

Source: DUBAI CHEMEX REGA.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: DUBAI CHEMEX REGA.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: AlxpSuW.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.DUBAI CHEMEX REGA.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.DUBAI CHEMEX REGA.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.2.AlxpSuW.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.2.AlxpSuW.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@2/1

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DUBAI CHEMEX REGA.exe.log

Jump to behavior

Source: DUBAI CHEMEX REGA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: DUBAI CHEMEX REGA.exe

ReversingLabs: Detection: 25%

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

File read: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe 'C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe'
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process created: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe 'C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe'
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process created: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe 'C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe'
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process created: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process created: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: DUBAI CHEMEX REGA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DUBAI CHEMEX REGA.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_07CA768F pushad ; retf 0007h	0_2_07CA769A
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC81A09 push eax; ret	0_2_0EC81A0D
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC814ED push cs; iretd	0_2_0EC814F0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC8149D push cs; ret	0_2_0EC814A0
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 0_2_0EC814A1 push cs; iretd	0_2_0EC814A4
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Code function: 4_2_00F793FA push 8BFFFFFFh; retf	4_2_00F79400
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06B14B3C pushfd ; ret	9_2_06B14B4F
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06B12577 push 00000040h; ret	9_2_06B12595
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_04D4C847 push ecx; ret	9_2_04D4C865
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_04D4F251 push 5E18468Bh; ret	9_2_04D4F1CF
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_04D47BF7 push E801005Eh; retf	9_2_04D47C01
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06DC14A1 push es; iretd	9_2_06DC14A4
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Code function: 9_2_06DC1A09 push eax; ret	9_2_06DC1A0D

Source: initial sample	Static PE information: section name: .text entropy: 7.81409495243
Source: initial sample	Static PE information: section name: .text entropy: 7.81409495243

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

File created: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe

Jump to dropped file

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AlxpSuW			Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AlxpSuW			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

File opened: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUBAI CHEMEX REGA.exe PID: 6900, type: MEMORY
Source: Yara match	File source: Process Memory Space: AlxpSuW.exe PID: 6564, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Window / User API: threadDelayed 982	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Window / User API: threadDelayed 8839	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Window / User API: threadDelayed 1519	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Window / User API: threadDelayed 8335	Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe TID: 6904	Thread sleep time: -100190s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe TID: 6932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe TID: 1584	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe TID: 5852	Thread sleep count: 982 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe TID: 5852	Thread sleep count: 8839 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe TID: 1584	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe TID: 7008	Thread sleep time: -104400s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe TID: 7012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe TID: 2188	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe TID: 4876	Thread sleep count: 1519 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe TID: 4876	Thread sleep count: 8335 > 30	Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Thread delayed: delay time: 100190	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Thread delayed: delay time: 104400	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Code function: 4_2_00F90A76 LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,

4_2_00F90A76

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Memory written: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Memory written: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Process created: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Process created: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe			Jump to behavior

Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.911039343.00000000015D0000.00000002.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.910592454.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.911039343.00000000015D0000.00000002.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.910592454.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.911039343.00000000015D0000.00000002.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.910592454.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: DUBAI CHEMEX REGA.exe, 00000004.00000002.911039343.00000000015D0000.00000002.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.910592454.0000000001C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.665376821.0000000004579000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746129783.00000000039B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.909140573.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.909153388.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUBAI CHEMEX REGA.exe PID: 3120, type: MEMORY
Source: Yara match	File source: Process Memory Space: AlxpSuW.exe PID: 7044, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUBAI CHEMEX REGA.exe PID: 6900, type: MEMORY
Source: Yara match	File source: Process Memory Space: AlxpSuW.exe PID: 6564, type: MEMORY
Source: Yara match	File source: 9.2.AlxpSuW.exe.3a3edf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DUBAI CHEMEX REGA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AlxpSuW.exe.3a3edf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUBAI CHEMEX REGA.exe.45fedf8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUBAI CHEMEX REGA.exe.45fedf8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AlxpSuW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AlxpSuW.exe.39d27d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUBAI CHEMEX REGA.exe.45927d8.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUBAI CHEMEX REGA.exe PID: 3120, type: MEMORY
Source: Yara match	File source: Process Memory Space: AlxpSuW.exe PID: 7044, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000000.00000002.665376821.0000000004579000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.746129783.00000000039B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.909140573.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.909153388.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUBAI CHEMEX REGA.exe PID: 3120, type: MEMORY
Source: Yara match	File source: Process Memory Space: AlxpSuW.exe PID: 7044, type: MEMORY
Source: Yara match	File source: Process Memory Space: DUBAI CHEMEX REGA.exe PID: 6900, type: MEMORY
Source: Yara match	File source: Process Memory Space: AlxpSuW.exe PID: 6564, type: MEMORY
Source: Yara match	File source: 9.2.AlxpSuW.exe.3a3edf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.DUBAI CHEMEX REGA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AlxpSuW.exe.3a3edf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUBAI CHEMEX REGA.exe.45fedf8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUBAI CHEMEX REGA.exe.45fedf8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.AlxpSuW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.AlxpSuW.exe.39d27d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DUBAI CHEMEX REGA.exe.45927d8.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	System Information Discovery114	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Deobfuscate/Decode Files or Information1	Input Capture211	Query Registry1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Credentials in Registry1	Security Software Discovery311	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing3	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture211	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Virtualization/Sandbox Evasion131	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion131	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection112	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DUBAI CHEMEX REGA.exe	25%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
DUBAI CHEMEX REGA.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe	25%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.DUBAI CHEMEX REGA.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File
10.2.AlxpSuW.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
webmail.satguruclearing.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/l~	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/C~	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://fhHdHb.com	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/9	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/9	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/9	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/9	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/5~	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0o	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Q~)M	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/5~	0%	Avira URL Cloud	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/.~6M	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.fontbureau.comue	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnrig)E	0%	Avira URL Cloud	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.founder.com.cn/cnLog	0%	Avira URL Cloud	safe
https://Ii19E5Eebc4fe8K8ng5D.com	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/dd8	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
webmail.satguruclearing.com	208.91.199.135	true	true	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	DUBAI CHEMEX REGA.exe, 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/l~	DUBAI CHEMEX REGA.exe, 00000000.00000003.649527166.0000000006383000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	DUBAI CHEMEX REGA.exe, 00000000.00000002.664563832.000000000339A000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741183439.00000000027DC000.00000004.00000001.sdmp	false		high
http://www.tiro.com	AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/C~	DUBAI CHEMEX REGA.exe, 00000000.00000003.649849888.000000000638C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fhHdHb.com	AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/9	DUBAI CHEMEX REGA.exe, 00000000.00000003.649849888.000000000638C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/5~	DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0o	DUBAI CHEMEX REGA.exe, 00000000.00000003.649754673.000000000638C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Q~)M	DUBAI CHEMEX REGA.exe, 00000000.00000003.649977429.0000000006386000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/5~	DUBAI CHEMEX REGA.exe, 00000000.00000003.649754673.000000000638C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comn	DUBAI CHEMEX REGA.exe, 00000000.00000003.646602465.000000000639B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/.~6M	DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	DUBAI CHEMEX REGA.exe, 00000000.00000002.664563832.000000000339A000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741183439.00000000027DC000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%	DUBAI CHEMEX REGA.exe, 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	DUBAI CHEMEX REGA.exe, 00000000.00000002.665376821.0000000004579000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000004.00000002.909140573.0000000000402000.00000040.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.746129783.00000000039B8000.00000004.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.909153388.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comue	DUBAI CHEMEX REGA.exe, 00000000.00000002.668995974.000000000638A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnrig)E	DUBAI CHEMEX REGA.exe, 00000000.00000003.648227085.0000000006391000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comc	DUBAI CHEMEX REGA.exe, 00000000.00000003.646661565.000000000639B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnLog	DUBAI CHEMEX REGA.exe, 00000000.00000003.648227085.0000000006391000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://Ii19E5Eebc4fe8K8ng5D.com	DUBAI CHEMEX REGA.exe, 00000004.00000002.911770163.0000000002EDC000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000004.00000003.862456569.0000000000D84000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	DUBAI CHEMEX REGA.exe, 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp, AlxpSuW.exe, 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/dd8	DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000000.00000003.649849888.000000000638C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	DUBAI CHEMEX REGA.exe, 00000000.00000002.668995974.000000000638A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000000.00000003.649849888.000000000638C000.00000004.00000001.sdmp, DUBAI CHEMEX REGA.exe, 00000000.00000003.649977429.0000000006386000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/n	DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://webmail.satguruclearing.com	DUBAI CHEMEX REGA.exe, 00000004.00000002.911837506.0000000002EFC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	DUBAI CHEMEX REGA.exe, 00000000.00000002.669646935.00000000075D2000.00000004.00000001.sdmp, AlxpSuW.exe, 00000009.00000002.749806133.0000000005870000.00000002.00000001.sdmp	false		high
http://www.tiro.comym	DUBAI CHEMEX REGA.exe, 00000000.00000003.647546366.000000000639B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/.~6M	DUBAI CHEMEX REGA.exe, 00000000.00000003.649754673.000000000638C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/e~	DUBAI CHEMEX REGA.exe, 00000000.00000003.649641249.000000000638C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.199.135	webmail.satguruclearing.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385489
Start date:	12.04.2021
Start time:	15:29:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DUBAI CHEMEX REGA.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@2/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.3%) Quality average: 48.9% Quality standard deviation: 32.4%
HCA Information:	Successful, ratio: 98% Number of executed functions: 174 Number of non-executed functions: 28
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 131.253.33.200, 13.107.22.200, 104.43.139.144, 92.122.145.220, 104.42.151.234, 13.88.21.125, 20.50.102.62, 93.184.221.240, 52.155.217.156, 20.54.26.129, 13.64.90.137, 168.61.161.212, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:30:24	API Interceptor	677x Sleep call for process: DUBAI CHEMEX REGA.exe modified
15:30:48	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AlxpSuW C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe
15:30:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AlxpSuW C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe
15:31:00	API Interceptor	505x Sleep call for process: AlxpSuW.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
208.91.199.135	Dubai REGA 2021UAE.exe	Get hash	malicious	Browse
	DUBAI UAEGH092021.exe	Get hash	malicious	Browse
	HCU2134 SINGAPORE.doc	Get hash	malicious	Browse
	DUBAI PPMC HCU217ED.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
webmail.satguruclearing.com	Dubai REGA 2021UAE.exe	Get hash	malicious	Browse	208.91.199.135
	DUBAI UAEGH092021.exe	Get hash	malicious	Browse	208.91.199.135
	SecuriteInfo.com.Trojan.Siggen12.57034.10737.exe	Get hash	malicious	Browse	208.91.199.135
	HCU2134 SINGAPORE.doc	Get hash	malicious	Browse	208.91.199.135
	DUBAI PPMC HCU217ED.exe	Get hash	malicious	Browse	208.91.199.135

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	BILL-OOO566876.exe	Get hash	malicious	Browse	208.91.199.225
	SecuriteInfo.com.Scr.Malcodegdn30.29716.exe	Get hash	malicious	Browse	208.91.198.143
	commercial invoice & packing list doc.exe	Get hash	malicious	Browse	43.225.55.205
	ORDER 9387383900.xlsx	Get hash	malicious	Browse	208.91.199.225
	Payment Advice Note from 02.04.2021 to 608761.exe	Get hash	malicious	Browse	208.91.199.223
	Dubai REGA 2021UAE.exe	Get hash	malicious	Browse	208.91.199.135
	e0xd7qhFaMk3Dpx.exe	Get hash	malicious	Browse	208.91.198.143
	Dridex.xls	Get hash	malicious	Browse	208.91.199.159
	documents-351331057.xlsm	Get hash	malicious	Browse	162.251.80.27
	documents-351331057.xlsm	Get hash	malicious	Browse	162.251.80.27
	DUBAI UAEGH092021.exe	Get hash	malicious	Browse	208.91.199.135
	PAGO FACTURA V-8680.exe	Get hash	malicious	Browse	208.91.198.143
	documents-1819557117.xlsm	Get hash	malicious	Browse	162.251.80.27
	documents-1819557117.xlsm	Get hash	malicious	Browse	162.251.80.27
	usd 420232.exe	Get hash	malicious	Browse	208.91.199.225
	P037725600.exe	Get hash	malicious	Browse	208.91.199.225
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	VAT INVOICE.exe	Get hash	malicious	Browse	208.91.199.224
	NEW ORDER.exe	Get hash	malicious	Browse	208.91.198.143
	TRANSFERENCIA AL EXTERIOR U810295.exe	Get hash	malicious	Browse	208.91.198.143

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AlxpSuW.exe.log Download File
Process:	C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DUBAI CHEMEX REGA.exe.log Download File
Process:	C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe Download File
Process:	C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	623104
Entropy (8bit):	7.483309393560406
Encrypted:	false
SSDEEP:	12288:rxpH6m/fCbppI+hEUdrTcxp/mYkTTMQBLAhkDKi:7r3CPIOrV4x0YmTMQyhkmi
MD5:	7A7078E03FD2FEE66B7436DA7222D2E0
SHA1:	03F9DD35D1D16D69DA789E8E1E0119F0163ADAAE
SHA-256:	B655965E57F392A0C5D82D2F248D432575B4F7092FA87A8BD868E56E6E32D546
SHA-512:	8E6E91E97B95946F13769BAFE7BF421D2021158B33C30D4395FEE4D3A37EA3DA2DE3E4BA4429860F492A3332B2F086CB9C13D429724806C95F83BAA432D35006
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 25%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.s`..............P.................. ... ....@.. ....................................@.................................X...O.... ..<............................................................................ ............... ..H............text........ ...................... ..`.rsrc...<.... ......................@..@.reloc..............................@..B........................H.......................@....I...........................................0............($...(%.........(.....o&.........................('......((......()......(......(+....N..(....o....(,....&..(-.....s.........s/........s0........s1........s2............0...........~....o3....+...0...........~....o4....+...0...........~....o5....+...0...........~....o6....+...0...........~....o7....+...0..<........~.....(8.....,!r...p.....(9...o:...s;............~.....+...0......

C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\wwcoyfzh.i55\Chrome\Default\Cookies Download File
Process:	C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	modified
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.483309393560406
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DUBAI CHEMEX REGA.exe
File size:	623104
MD5:	7a7078e03fd2fee66b7436da7222d2e0
SHA1:	03f9dd35d1d16d69da789e8e1e0119f0163adaae
SHA256:	b655965e57f392a0c5d82d2f248d432575b4f7092fa87a8bd868e56e6e32d546
SHA512:	8e6e91e97b95946f13769bafe7bf421d2021158b33c30d4395fee4d3a37ea3da2de3e4ba4429860f492a3332b2f086cb9c13d429724806c95f83baa432d35006
SSDEEP:	12288:rxpH6m/fCbppI+hEUdrTcxp/mYkTTMQBLAhkDKi:7r3CPIOrV4x0YmTMQyhkmi
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.s`..............P.................. ... ....@.. ....................................@................................

File Icon


Icon Hash:	1103212484000000

Static PE Info

General
Entrypoint:	0x4802aa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6073F552 [Mon Apr 12 07:22:58 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
or dword ptr [edx], ecx
or eax, 00000020h
add byte ptr [ecx+49h], cl
sub al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
dec ebp
dec ebp
add byte ptr [edx], ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x80258	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82000	0x1983c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7e2c8	0x7e400	False	0.881789526609	PGP symmetric key encrypted data - Plaintext or unencrypted data	7.81409495243	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x82000	0x1983c	0x19a00	False	0.196741615854	data	3.42109206296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9c000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x82220	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x82688	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294901502, next used block 4294901502
RT_ICON	0x83730	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294901502, next used block 4294901502
RT_ICON	0x85cd8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294901502, next used block 4294901502
RT_ICON	0x89f00	0x10828	data
RT_GROUP_ICON	0x9a728	0x4c	data
RT_GROUP_ICON	0x9a774	0x14	data
RT_VERSION	0x9a788	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data
RT_MANIFEST	0x9ab14	0xd25	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Adobe Inc, Sel 2011 - 2021
Assembly Version	1.0.0.0
InternalName	EventResetMode.exe
FileVersion	1.0.0.0
CompanyName	Adobe Inc, Sel
LegalTrademarks
Comments
ProductName	Image Studio
ProductVersion	1.0.0.0
FileDescription	Image Studio
OriginalFilename	EventResetMode.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/12/21-15:32:11.865425	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49763	587	192.168.2.4	208.91.199.135
04/12/21-15:32:16.013568	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49764	587	192.168.2.4	208.91.199.135

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 15:32:10.188775063 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:10.357816935 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:10.358504057 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:10.765691042 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:10.766298056 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:10.941135883 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:10.942754984 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:11.118453026 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:11.119129896 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:11.324501991 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:11.325351954 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:11.499969959 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:11.500483036 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:11.687432051 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:11.687797070 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:11.862266064 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:11.862364054 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:11.865425110 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:11.865778923 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:11.866642952 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:11.866820097 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:12.034543037 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:12.035501957 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:12.037487984 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:12.080284119 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:13.614428043 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:13.789947033 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:13.790798903 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:13.792022943 CEST	49763	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:13.966669083 CEST	587	49763	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:14.397428989 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:14.562386990 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:14.562629938 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:14.965632915 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:14.966111898 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:15.131253004 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:15.131865025 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:15.297158003 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:15.298182011 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:15.474678993 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:15.475152016 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:15.649852991 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:15.650204897 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:15.836138010 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:15.836350918 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:16.011018991 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:16.011070967 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:16.013051987 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:16.013567924 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:16.013890982 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:16.014468908 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:16.014880896 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:16.015136957 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:16.015306950 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:16.015463114 CEST	49764	587	192.168.2.4	208.91.199.135
Apr 12, 2021 15:32:16.188087940 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:16.188873053 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:16.189342976 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:16.189690113 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:16.191374063 CEST	587	49764	208.91.199.135	192.168.2.4
Apr 12, 2021 15:32:16.236478090 CEST	49764	587	192.168.2.4	208.91.199.135

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 15:30:10.536741018 CEST	65248	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:10.554172993 CEST	53723	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:10.585721016 CEST	53	65248	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:10.627959967 CEST	53	53723	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:13.145498991 CEST	64646	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:13.196250916 CEST	53	64646	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:14.183625937 CEST	65298	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:14.242912054 CEST	53	65298	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:16.981522083 CEST	59123	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:17.033129930 CEST	53	59123	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:18.344963074 CEST	54531	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:18.393522024 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:20.047566891 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:20.096324921 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:20.984571934 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:21.033447027 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:22.095227003 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:22.152257919 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:24.788847923 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:24.846043110 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:25.729618073 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:25.778316021 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:27.165736914 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:27.217328072 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:37.479927063 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:37.531529903 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 12, 2021 15:30:45.099642038 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:30:45.149485111 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:06.127593040 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:06.176506996 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:06.445293903 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:06.557193041 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:07.630270958 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:07.742788076 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:08.410974026 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:08.471290112 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:09.018810034 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:09.076404095 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:09.374248981 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:09.446960926 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:10.023163080 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:10.074780941 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:10.131000996 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:10.179538012 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:11.291363001 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:11.399669886 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:13.121179104 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:13.178277016 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:15.039782047 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:15.102057934 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:15.642467022 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:15.693048954 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:16.089579105 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:16.236175060 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:16.861805916 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:16.925910950 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:17.454323053 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:17.502975941 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:18.594506979 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:18.646411896 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:21.073769093 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:21.124227047 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:22.138350964 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:22.189939022 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:23.260183096 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:23.321536064 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:24.215230942 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:24.276364088 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:52.727340937 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:52.776074886 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:54.123553038 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:54.172414064 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 12, 2021 15:31:54.536668062 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:31:54.594189882 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 12, 2021 15:32:09.851968050 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:32:10.054696083 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 12, 2021 15:32:14.179001093 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:32:14.394840002 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 12, 2021 15:32:22.054699898 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 12, 2021 15:32:22.116394997 CEST	53	61531	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 15:32:09.851968050 CEST	192.168.2.4	8.8.8.8	0x60cc	Standard query (0)	webmail.satguruclearing.com	A (IP address)	IN (0x0001)
Apr 12, 2021 15:32:14.179001093 CEST	192.168.2.4	8.8.8.8	0x8ec4	Standard query (0)	webmail.satguruclearing.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 15:32:10.054696083 CEST	8.8.8.8	192.168.2.4	0x60cc	No error (0)	webmail.satguruclearing.com		208.91.199.135	A (IP address)	IN (0x0001)
Apr 12, 2021 15:32:14.394840002 CEST	8.8.8.8	192.168.2.4	0x8ec4	No error (0)	webmail.satguruclearing.com		208.91.199.135	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 12, 2021 15:32:10.765691042 CEST	587	49763	208.91.199.135	192.168.2.4	220-md-73.webhostbox.net ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 13:32:10 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 12, 2021 15:32:10.766298056 CEST	49763	587	192.168.2.4	208.91.199.135	EHLO 536720
Apr 12, 2021 15:32:10.941135883 CEST	587	49763	208.91.199.135	192.168.2.4	250-md-73.webhostbox.net Hello 536720 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 12, 2021 15:32:10.942754984 CEST	49763	587	192.168.2.4	208.91.199.135	AUTH login a2lzaG9yZUBzYXRndXJ1Y2xlYXJpbmcuY29t
Apr 12, 2021 15:32:11.118453026 CEST	587	49763	208.91.199.135	192.168.2.4	334 UGFzc3dvcmQ6
Apr 12, 2021 15:32:11.324501991 CEST	587	49763	208.91.199.135	192.168.2.4	235 Authentication succeeded
Apr 12, 2021 15:32:11.325351954 CEST	49763	587	192.168.2.4	208.91.199.135	MAIL FROM:<kishore@satguruclearing.com>
Apr 12, 2021 15:32:11.499969959 CEST	587	49763	208.91.199.135	192.168.2.4	250 OK
Apr 12, 2021 15:32:11.500483036 CEST	49763	587	192.168.2.4	208.91.199.135	RCPT TO:<kishore@satguruclearing.com>
Apr 12, 2021 15:32:11.687432051 CEST	587	49763	208.91.199.135	192.168.2.4	250 Accepted
Apr 12, 2021 15:32:11.687797070 CEST	49763	587	192.168.2.4	208.91.199.135	DATA
Apr 12, 2021 15:32:11.862364054 CEST	587	49763	208.91.199.135	192.168.2.4	354 Enter message, ending with "." on a line by itself
Apr 12, 2021 15:32:11.866820097 CEST	49763	587	192.168.2.4	208.91.199.135	.
Apr 12, 2021 15:32:12.037487984 CEST	587	49763	208.91.199.135	192.168.2.4	250 OK id=1lVwfj-001fZd-PI
Apr 12, 2021 15:32:13.614428043 CEST	49763	587	192.168.2.4	208.91.199.135	QUIT
Apr 12, 2021 15:32:13.789947033 CEST	587	49763	208.91.199.135	192.168.2.4	221 md-73.webhostbox.net closing connection
Apr 12, 2021 15:32:14.965632915 CEST	587	49764	208.91.199.135	192.168.2.4	220-md-73.webhostbox.net ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 13:32:14 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 12, 2021 15:32:14.966111898 CEST	49764	587	192.168.2.4	208.91.199.135	EHLO 536720
Apr 12, 2021 15:32:15.131253004 CEST	587	49764	208.91.199.135	192.168.2.4	250-md-73.webhostbox.net Hello 536720 [84.17.52.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-X_PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Apr 12, 2021 15:32:15.131865025 CEST	49764	587	192.168.2.4	208.91.199.135	AUTH login a2lzaG9yZUBzYXRndXJ1Y2xlYXJpbmcuY29t
Apr 12, 2021 15:32:15.297158003 CEST	587	49764	208.91.199.135	192.168.2.4	334 UGFzc3dvcmQ6
Apr 12, 2021 15:32:15.474678993 CEST	587	49764	208.91.199.135	192.168.2.4	235 Authentication succeeded
Apr 12, 2021 15:32:15.475152016 CEST	49764	587	192.168.2.4	208.91.199.135	MAIL FROM:<kishore@satguruclearing.com>
Apr 12, 2021 15:32:15.649852991 CEST	587	49764	208.91.199.135	192.168.2.4	250 OK
Apr 12, 2021 15:32:15.650204897 CEST	49764	587	192.168.2.4	208.91.199.135	RCPT TO:<kishore@satguruclearing.com>
Apr 12, 2021 15:32:15.836138010 CEST	587	49764	208.91.199.135	192.168.2.4	250 Accepted
Apr 12, 2021 15:32:15.836350918 CEST	49764	587	192.168.2.4	208.91.199.135	DATA
Apr 12, 2021 15:32:16.011070967 CEST	587	49764	208.91.199.135	192.168.2.4	354 Enter message, ending with "." on a line by itself
Apr 12, 2021 15:32:16.015463114 CEST	49764	587	192.168.2.4	208.91.199.135	.
Apr 12, 2021 15:32:16.191374063 CEST	587	49764	208.91.199.135	192.168.2.4	250 OK id=1lVwfn-001faU-U5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DUBAI CHEMEX REGA.exe PID: 6900 Parent PID: 5896

General

Start time:	15:30:17
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe'
Imagebase:	0xeb0000
File size:	623104 bytes
MD5 hash:	7A7078E03FD2FEE66B7436DA7222D2E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.665376821.0000000004579000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.664541642.0000000003381000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: DUBAI CHEMEX REGA.exe PID: 3120 Parent PID: 6900

General

Start time:	15:30:25
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\DUBAI CHEMEX REGA.exe
Imagebase:	0x830000
File size:	623104 bytes
MD5 hash:	7A7078E03FD2FEE66B7436DA7222D2E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.911263049.0000000002B71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.909140573.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: AlxpSuW.exe PID: 6564 Parent PID: 3424

General

Start time:	15:30:56
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe'
Imagebase:	0x350000
File size:	623104 bytes
MD5 hash:	7A7078E03FD2FEE66B7436DA7222D2E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.746129783.00000000039B8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000009.00000002.741126162.00000000027C1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 25%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: AlxpSuW.exe PID: 7044 Parent PID: 6564

General

Start time:	15:31:01
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe
Imagebase:	0xf20000
File size:	623104 bytes
MD5 hash:	7A7078E03FD2FEE66B7436DA7222D2E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.909153388.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.910963365.0000000003201000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: AlxpSuW.exe PID: 7000 Parent PID: 3424

General

Start time:	15:31:04
Start date:	12/04/2021
Path:	C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\AlxpSuW\AlxpSuW.exe'
Imagebase:	0x8c0000
File size:	623104 bytes
MD5 hash:	7A7078E03FD2FEE66B7436DA7222D2E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: DUBAI CHEMEX REGA.exe PID: 6900 Parent PID: 5896 DUBAI CHEMEX REGA.exeCOMMON

Executed Functions

Function 07CA9948, Relevance: 7.7, Strings: 6, Instructions: 230COMMON

Download Yara Rule

Strings

x l, xrefs: 07CA998A
;~cy, xrefs: 07CA9B08
d{<5, xrefs: 07CA9C21
d{<5, xrefs: 07CA9C1A
abG), xrefs: 07CA9CA6
;~cy, xrefs: 07CA9B01

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID: ;~cy$;~cy$abG)$d{<5$d{<5$x l
API String ID: 0-2151556319
Opcode ID: af3693e553a55acfffb0f36901dade09594e69424e82105abe797144fbb0ab08
Instruction ID: 158df5e62e2c829ef5e2b78481f4517395f9465cc3e2a47ce5b4f0866c0bad75
Opcode Fuzzy Hash: af3693e553a55acfffb0f36901dade09594e69424e82105abe797144fbb0ab08
Instruction Fuzzy Hash: 04B166B0D1421AEFDB14CFA5E98AADDFBB1FF89305F208129D40AAB250CB346941CF15

Uniqueness

Uniqueness Score: -1.00%

Function 07CA9937, Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

x l, xrefs: 07CA998A
;~cy, xrefs: 07CA9B08
d{<5, xrefs: 07CA9C21
abG), xrefs: 07CA9CA6

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID: ;~cy$abG)$d{<5$x l
API String ID: 0-54654406
Opcode ID: 0d6871d90afe9f296c300c7ef1ecc39cc900bcefd7273c6cda85975e26bcba83
Instruction ID: 55982312d5236f1e5f7fa10691c43073230dab4353d0ea6f2f53ed06eac9d421
Opcode Fuzzy Hash: 0d6871d90afe9f296c300c7ef1ecc39cc900bcefd7273c6cda85975e26bcba83
Instruction Fuzzy Hash: 9AA158B0E1421AEFDB14DFA5D58AADDFBF1FB89305F10816AD40AAB250DB386940CF15

Uniqueness

Uniqueness Score: -1.00%

Function 07CA7928, Relevance: 5.2, Strings: 4, Instructions: 154COMMON

Download Yara Rule

Strings

y7, xrefs: 07CA7B14
U'8h, xrefs: 07CA7AC6
yXHy, xrefs: 07CA79B9
y7, xrefs: 07CA7B06

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID: U'8h$yXHy$y7$y7
API String ID: 0-172340300
Opcode ID: 2f1bf74ef68db201451050f334826256b3bb8be7d292b255e34bd03f0184f369
Instruction ID: de59b680f7cc9a2ec5a2d10f2f0809b3446a1db2d495aa2acd8a29ef5f0dc86f
Opcode Fuzzy Hash: 2f1bf74ef68db201451050f334826256b3bb8be7d292b255e34bd03f0184f369
Instruction Fuzzy Hash: 826115B4E15219EFCB04DFA6E595AADFBB2FF88305F10802AD806AB354DB345A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07CA9C74, Relevance: 3.9, Strings: 3, Instructions: 193COMMON

Download Yara Rule

Strings

;~cy, xrefs: 07CA9B08
d{<5, xrefs: 07CA9C21
abG), xrefs: 07CA9CA6

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID: ;~cy$abG)$d{<5
API String ID: 0-1818949979
Opcode ID: 1252fc2de2b773788815881cda200388396672a89f0d2d66f4b27fe281b74de0
Instruction ID: d690a16cdb1ae227013a1d92df64427f11a751a6b33c7fc693bd9c54b3f68071
Opcode Fuzzy Hash: 1252fc2de2b773788815881cda200388396672a89f0d2d66f4b27fe281b74de0
Instruction Fuzzy Hash: 1D9169B0D1421AEFCB14DFA5E98AADDFBF1FB89305F108169D40AAB240DB386940CF15

Uniqueness

Uniqueness Score: -1.00%

Function 07CA7922, Relevance: 3.9, Strings: 3, Instructions: 151COMMON

Download Yara Rule

Strings

y7, xrefs: 07CA7B14
U'8h, xrefs: 07CA7AC6
yXHy, xrefs: 07CA79B9

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID: U'8h$yXHy$y7
API String ID: 0-849132479
Opcode ID: e5a186d26bc4eae45c236a71711d51a40c3821692b8a479332bce7f8193e98f6
Instruction ID: 7235e550ce4bef0e6b0184cf260e3605eac53ada72b9d102b35c299142fbb104
Opcode Fuzzy Hash: e5a186d26bc4eae45c236a71711d51a40c3821692b8a479332bce7f8193e98f6
Instruction Fuzzy Hash: 756105B4E15219EFCB04DFA5E599A9DFBB2FF89305F10802AD806A7354DB345941CF11

Uniqueness

Uniqueness Score: -1.00%

Function 07CA86B0, Relevance: 1.6, APIs: 1, Instructions: 56nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07CA8737

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: a64ebbdc098607417d255684796ef79ce5a1c248386c105145656920a5689e5a
Instruction ID: ce5f37975101bde26e62d1f2f8e1c193c57aa6609281cf81c763ee66c1becfdb
Opcode Fuzzy Hash: a64ebbdc098607417d255684796ef79ce5a1c248386c105145656920a5689e5a
Instruction Fuzzy Hash: 1321B2B5900659EFCB10CF9AD884ADEBBF4FB49314F10852AE958A7210C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CA86B8, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07CA8737

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: d9f138271a7c8a86abfed7ff4ef5f5868b22e81862489c91dafc54cfe063f3ea
Instruction ID: a3f490b45f5f1a0fc7e2f453dedf90e102a79878ce95fbc2c953dc38f890a5ad
Opcode Fuzzy Hash: d9f138271a7c8a86abfed7ff4ef5f5868b22e81862489c91dafc54cfe063f3ea
Instruction Fuzzy Hash: 7A21C0B5900259EFCB10CF9AD884ADEBBF4FB49324F10842AE918A7210C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CA04F0, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

n._, xrefs: 07CA05A6

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID: n._
API String ID: 0-445688771
Opcode ID: 4e9adf25dc324c1eefbe11034ceae088eb467d8cf53df4aef0328166c6802bcb
Instruction ID: 9cc0e9edfd99e506af4c7e30b85a45dabae78f94fff02a3a507c5419b7fbd395
Opcode Fuzzy Hash: 4e9adf25dc324c1eefbe11034ceae088eb467d8cf53df4aef0328166c6802bcb
Instruction Fuzzy Hash: 70517AB0E046199FDB08CFAAD9506AEFBF2FF89305F14C16AD418A7250E7345A41CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07CA0500, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

n._, xrefs: 07CA05A6

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID: n._
API String ID: 0-445688771
Opcode ID: c4b47ac42a806c406fba8a6b655c00fa5c64c737f97510b650f9f5113cfb67d4
Instruction ID: 5721e5bf6361e97660e3faa54007af89b66665a7ac3d1b0dc6dc58092ea0f7c5
Opcode Fuzzy Hash: c4b47ac42a806c406fba8a6b655c00fa5c64c737f97510b650f9f5113cfb67d4
Instruction Fuzzy Hash: CB513AB0E0461A9FDB08CFAAD5406AEFBF2FF88345F14C02AD419B7254E7345A41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 07CA1D01, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d19380662ed9bf2ce40528533eca61540b668ca3183e77ded6599e7855a4aa0
Instruction ID: 836aebb866d60cffa0d2348b13c6197507cd602623a63e49ab1b0b4869168b83
Opcode Fuzzy Hash: 6d19380662ed9bf2ce40528533eca61540b668ca3183e77ded6599e7855a4aa0
Instruction Fuzzy Hash: 45E18BB4D1521AEFCB08CFA6D5818AEFBB2FF8A345F14D526C415AB214D7349A42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07CA1D6A, Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d418db0178a850132f095438b4a53cc0e27ddf8a6794092f8ebbc064b7fea5
Instruction ID: 614dbde0b4f99ad9ea7f49a806a7d40d0993ac5c68c9a1b6be584e7bfc38cc28
Opcode Fuzzy Hash: c2d418db0178a850132f095438b4a53cc0e27ddf8a6794092f8ebbc064b7fea5
Instruction Fuzzy Hash: 64D16AB4E1521AEFCB08CFA6C5818AEFBB2FF89345F149515C515AB214D734EA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019BDB4C, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: db6a5f6782fb7926f95a8a3c3b53a04559466e192fbccc40d89ac85ae5566257
Instruction ID: 1b934ce7bbdf4635905dfcd5bc948ace1c8ac73b6a7d0a0eadd974d205ec1062
Opcode Fuzzy Hash: db6a5f6782fb7926f95a8a3c3b53a04559466e192fbccc40d89ac85ae5566257
Instruction Fuzzy Hash: 3E91A034E103198FCB04DBE0D8949DDBBBAFF89304F108615E91AAB3A4EB34A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 019BE213, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1b8940be2ff1a5b0a0b13bae5171b11c1a7ae97fbdec6371771e525de205660d
Instruction ID: f5434dd6c474a34b673001b1dedf1501b1e99c801e652da0982ca4381a691738
Opcode Fuzzy Hash: 1b8940be2ff1a5b0a0b13bae5171b11c1a7ae97fbdec6371771e525de205660d
Instruction Fuzzy Hash: 2E816F75E103198FCB04DBE0D8949DDBBBAFF89314F548215E916AB3A4EB30A985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07CA8471, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3e6a7d995055a1f216a1865e99377fc71881f1290a7332df07a5cbcea84bd53
Instruction ID: b36b19ed57878b15647ee1ff2f614fb33d24d70cc6df7e707ace67d8b9401fce
Opcode Fuzzy Hash: b3e6a7d995055a1f216a1865e99377fc71881f1290a7332df07a5cbcea84bd53
Instruction Fuzzy Hash: E95145B0E1471ADBDB14CFA9D9405DDFBF2FF89305F20862AD419AB214EB30A942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07CA0EB0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4493b2a1596dbd7508ddcf4cc1d2c2d87aa04eb0fb80aafbf7fbbd459835d25
Instruction ID: 9fe44fc89c26dbc1b1a13bfbd11186c523738f28b4e9a60e8fb4332330511c25
Opcode Fuzzy Hash: a4493b2a1596dbd7508ddcf4cc1d2c2d87aa04eb0fb80aafbf7fbbd459835d25
Instruction Fuzzy Hash: 5B21F4B1E006189BDB18CFABD8443DEFBF3AFC8315F14C12AD409AA258DB3419558F90

Uniqueness

Uniqueness Score: -1.00%

Function 07CA0EA2, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508813b819d89266e00159e75c0d70c27aea12d232e759472b32569bfe5218af
Instruction ID: 8a8272ffde12dca39b6b660645c97b172edb13dd157e36ac4657dcab66303adb
Opcode Fuzzy Hash: 508813b819d89266e00159e75c0d70c27aea12d232e759472b32569bfe5218af
Instruction Fuzzy Hash: 7221F6B0E056189BDB18CFAAD8443CEBFF3AFC9310F14C16AD408AA258DB341A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0EC83C19, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2904bd1726136efab058dfce96b362eb1b8037f1e37dc2e9ecbcf4f9a3556fd2
Instruction ID: 875dd5012d38bf569e063c5168fbd4c7ef25fc51c4e6aae0dec2100a1acc4561
Opcode Fuzzy Hash: 2904bd1726136efab058dfce96b362eb1b8037f1e37dc2e9ecbcf4f9a3556fd2
Instruction Fuzzy Hash: 961190309092A48FCB059F69CA197FDBBF0AB0E305F08617AD045B7281C7798D48CB74

Uniqueness

Uniqueness Score: -1.00%

Function 0EC83C30, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8fd99cc1a82748c07ff89fdfd4bd4af40954c039591cc1a34d6e2bb082d1d1
Instruction ID: b3ebc43567d9d5b2c38e6e80a4103aa908eadbe6668e10ce227f94c73d1565f7
Opcode Fuzzy Hash: cf8fd99cc1a82748c07ff89fdfd4bd4af40954c039591cc1a34d6e2bb082d1d1
Instruction Fuzzy Hash: 42117030D052688FCB14DFAAC6187EDBBF1AB4D305F14A179D405B3290C7758A44CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07CAD570, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CAD7A6

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 3d5350213ad933c318233ed39831a64424008dbb8eb256c4e892e35c073f511c
Instruction ID: b53e463ea29b888b1e0396005ca94a44baf20f8978f7d7d699eb72d007a39e32
Opcode Fuzzy Hash: 3d5350213ad933c318233ed39831a64424008dbb8eb256c4e892e35c073f511c
Instruction Fuzzy Hash: 09918FB1E0061ADFDF14CFA8C8807EDBBB2BF48319F048569D819A7644DB749A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019BBA60, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cfbe198b98d318f7274eacfb0b49178347c57d5edb4136bf936b7936d699f2a6
Instruction ID: c8a0c4bcbb6c91984984734902dff052a3ea9d3d10f181e3dbf91036ea3de5ef
Opcode Fuzzy Hash: cfbe198b98d318f7274eacfb0b49178347c57d5edb4136bf936b7936d699f2a6
Instruction Fuzzy Hash: 15714570A00B058FD724DF2AD5907AABBF5FF88204F00892DD58ADBA90DB74E805CF91

Uniqueness

Uniqueness Score: -1.00%

Function 019BAAD4, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 019BE02A

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 83f7e6a79f936e2ee160f97f923a66e34d477168d7c2ea6fb684404203bf9b31
Instruction ID: f0f3488851a64b76f8f5e42b67173c988aff03eea776753b0add45e1e17010f7
Opcode Fuzzy Hash: 83f7e6a79f936e2ee160f97f923a66e34d477168d7c2ea6fb684404203bf9b31
Instruction Fuzzy Hash: 0A51CEB1D04309DFDB14CFAAC984ADEBBB5FF88314F24812AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019BDF0D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 019BE02A

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 110fe4327ebfa4d33a94c975a221cfb621c173a7f969da7a151e7f96064b3ab6
Instruction ID: c5ac9d78fe47db11f6e906499c6c1ae131a6a27f306f3e533710773f08ece14a
Opcode Fuzzy Hash: 110fe4327ebfa4d33a94c975a221cfb621c173a7f969da7a151e7f96064b3ab6
Instruction Fuzzy Hash: 1651CFB1D04309DFDB14CFAAD984ADEBBB5FF48314F24812AE819AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 019B7009, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019B7046,?,?,?,?,?), ref: 019B7107

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2969bbedff0cdb4a8fdd243364b5ac705ce637891ac0a631beb26ba0f4ba19f5
Instruction ID: 165918373766f9432682ef130f4f41bb4568b955c8e149b65ef52ab126c4cac1
Opcode Fuzzy Hash: 2969bbedff0cdb4a8fdd243364b5ac705ce637891ac0a631beb26ba0f4ba19f5
Instruction Fuzzy Hash: 8D413C76900259AFCB01CF99D884ADEBFF5FB89310F14802AF914A7250D775A914DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CAD2E8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CAD378

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 29706e4b823f7c9ac49a1bc62d0072efe622345726824816dc149c481d0de936
Instruction ID: 884b34dcfc3b7020cc022835246b873e078b1be85c689cd1a4c981d256a20633
Opcode Fuzzy Hash: 29706e4b823f7c9ac49a1bc62d0072efe622345726824816dc149c481d0de936
Instruction Fuzzy Hash: 002125B19003599FCB00CFAAC884BDEBBF5FF48314F10842AE919A7640C778A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 019B63FC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019B7046,?,?,?,?,?), ref: 019B7107

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 26da326502835c9f7a51d82e1292d5e416f0e7991c83ae08058fdd7b130294f4
Instruction ID: 40d9606532dce4ca260e3fe4311fe09932ffb4e0bda00540f5acfe2569bf08fc
Opcode Fuzzy Hash: 26da326502835c9f7a51d82e1292d5e416f0e7991c83ae08058fdd7b130294f4
Instruction Fuzzy Hash: 8A21E6B59002489FDB10CF9AD984BDEFBF8FB48320F14851AE914A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019B7078, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019B7046,?,?,?,?,?), ref: 019B7107

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5e983ae998062be3ee5468a171cc3675240e3aabc415d23d56b1727ba13e7455
Instruction ID: 6cc699dae7c7746298649bb150e9df91ae6d7077d57dad1e55a81ade5cbeb631
Opcode Fuzzy Hash: 5e983ae998062be3ee5468a171cc3675240e3aabc415d23d56b1727ba13e7455
Instruction Fuzzy Hash: ED21E3B59002189FDB10CFAAD984ADEFBF8FB48324F14841AE914A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CAD3D8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CAD458

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f469b76391d07e4947b30561905746b6802adfc1f49f49e96870110483c258d8
Instruction ID: b281fa7603738a2fa077bb1c0fc660724cabaa87c3e8527c63d4aa84c383ec28
Opcode Fuzzy Hash: f469b76391d07e4947b30561905746b6802adfc1f49f49e96870110483c258d8
Instruction Fuzzy Hash: B92139B19003599FCB00CFAAC8847DEFBF5FF48314F108429E919A7640C778A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07CAD150, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07CAD1CE

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 83f8f6e4c028a0d1bf4f3e26398329b042b663744c3adc4c3407d80527c1eee3
Instruction ID: f089a0d9c8e958097b3efb7b390fc80ebfbfab5eb60a2fd4ed3dd8aff7f7eda9
Opcode Fuzzy Hash: 83f8f6e4c028a0d1bf4f3e26398329b042b663744c3adc4c3407d80527c1eee3
Instruction Fuzzy Hash: B9212CB19003099FDB10DFAAC4847EEBBF4EF48324F14C429D959A7640CB789945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019BA980, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019BBD21,00000800,00000000,00000000), ref: 019BBF32

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2861487f501c739589d51ece90d9f9ba19da1112bba90dca1c7cac04ac70085c
Instruction ID: e49d87e2a6122330137e5b21783531b4dc2c658339ed055649e989b6cd99a3a6
Opcode Fuzzy Hash: 2861487f501c739589d51ece90d9f9ba19da1112bba90dca1c7cac04ac70085c
Instruction Fuzzy Hash: 692139B68043488FDB10CFAAC588ADEBBF4EB89314F04846EE51AA7340C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CA781A, Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07CA7893

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 47ef716975be99592ef1d3058a6ec32f9c3c973ada4b8055546b0d0744eb3472
Instruction ID: d463b48480ddeada957921e8a089f0f0e56eba62557d7e6c77fd492458293b5e
Opcode Fuzzy Hash: 47ef716975be99592ef1d3058a6ec32f9c3c973ada4b8055546b0d0744eb3472
Instruction Fuzzy Hash: 4721E7B69002499FCB10CF9AD484BDEFBF4FB48324F10842AE958A7650D778A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019BA998, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019BBD21,00000800,00000000,00000000), ref: 019BBF32

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 39cc9fac30e85cc4a7df61e190277a7f602db11ad0cc6ab389b1935eddec7f19
Instruction ID: 8eeb3765410c870c6e4a8ac26b1b0a4a1433f061805d9f2ef29dc80c749534de
Opcode Fuzzy Hash: 39cc9fac30e85cc4a7df61e190277a7f602db11ad0cc6ab389b1935eddec7f19
Instruction Fuzzy Hash: 261117B29002089FDB10CF9AD588BDEFBF4EB48314F14842EE919A7240C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CA7820, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07CA7893

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7c954e310843e73cc6defc014e05887724765a5428ba48cecab069fde0caa4de
Instruction ID: 5061473d02f9bb1215003e7e7e104a0cf4a3b15d6ea1308b8a47e5acb8947c60
Opcode Fuzzy Hash: 7c954e310843e73cc6defc014e05887724765a5428ba48cecab069fde0caa4de
Instruction Fuzzy Hash: 4D21E4B59002499FCB10CF9AC484BDEFBF4FB48324F108429E958A7240D378A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CAD228, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CAD296

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 59439c1609ebab3ad9dcb929f914d8bb290e18818379747d2a21263e8b81cde7
Instruction ID: 5d937831d703fe3997cefa5a4352e5fa4fc28d5714e2c58f542a5dd6283bc2af
Opcode Fuzzy Hash: 59439c1609ebab3ad9dcb929f914d8bb290e18818379747d2a21263e8b81cde7
Instruction Fuzzy Hash: 0F1137B19002499FCB10DFAAC8447DFBBF5EF88324F148829E915A7650C775A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 019BBEC0, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019BBD21,00000800,00000000,00000000), ref: 019BBF32

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f476fd89614dd0567da48a7e17f970baf5ad49ff2dceb40c52e3df086c662164
Instruction ID: 61c12a2851ad1aff1526866b347e4c01d238972a7f9eb1904d7d7d18279f3823
Opcode Fuzzy Hash: f476fd89614dd0567da48a7e17f970baf5ad49ff2dceb40c52e3df086c662164
Instruction Fuzzy Hash: 381114B6D042498FDB10CFAAD588BDEFBF4EB88314F14842EE519A7640C375A549CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 019BA944, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,019BBA73), ref: 019BBCA6

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a0f14715a84fd122fdd51c5ddcbc97e031653d2f42a741d09dffefe512752d02
Instruction ID: 1096f4133f30809a8c85195419f9c9af9617a4224530100102d5c468350aa50e
Opcode Fuzzy Hash: a0f14715a84fd122fdd51c5ddcbc97e031653d2f42a741d09dffefe512752d02
Instruction Fuzzy Hash: 091134B1C002088FCB10CF9AC584BDEFBF8EB88320F10842AD819B7600D3B4A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07CAB480, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 07CAB4F0

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 52b51ac6c7c5aaefb3cc49d5f70940a104cff0bbfe5fc4ad1ea95079e6434097
Instruction ID: e3727cb9ae9e9929fbf1b40da607432fc90bc3be059446b00e14f59c57e8e394
Opcode Fuzzy Hash: 52b51ac6c7c5aaefb3cc49d5f70940a104cff0bbfe5fc4ad1ea95079e6434097
Instruction Fuzzy Hash: 611104B1D0065A9FCB10CF9AD484B9EFBF4FB48324F10812AE819B3640C774AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07CAD0A0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07CAD102

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 162c34d1ed2b99f52d039c92ea40256c67b8aba12a18f5791159aff87b92b713
Instruction ID: e6aebfebcc0211a81ab3b49903651c89dc09bb6180fafaa2364366137e4ffdaf
Opcode Fuzzy Hash: 162c34d1ed2b99f52d039c92ea40256c67b8aba12a18f5791159aff87b92b713
Instruction Fuzzy Hash: 78110AB19042499FCB10DFAAC4887DFFBF5EB88324F148429D515A7640C779A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 019BDB34, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 019BE1BD

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 06ce91cdb25bea043125ef497f1982ccd8f692d9bb25b2fe99c685437087923d
Instruction ID: 1d1fba47718cd4d0784b53b1b42ad452d63103a255782d7766f9745fe6bc9c26
Opcode Fuzzy Hash: 06ce91cdb25bea043125ef497f1982ccd8f692d9bb25b2fe99c685437087923d
Instruction Fuzzy Hash: 6211F5B59002089FDB10CF99D588BDEBBF8FB49320F208419E919A7700C3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0EC81A0F, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0EC81A6D

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 509cfcc332b2d55c10733c5d196a95ef0c0fda308617a059b1f705554045bfa9
Instruction ID: 3c3dd6431736d642b3c14f76982ad5ad24452c34d0d27067b83ac4048fca3a9f
Opcode Fuzzy Hash: 509cfcc332b2d55c10733c5d196a95ef0c0fda308617a059b1f705554045bfa9
Instruction Fuzzy Hash: D411E5B58003499FDB10DF9AD589BDEFBF8FB48324F14841AE914A7600C3B5A995CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 019BE159, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 019BE1BD

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b7df8c30f78f2238d2f6cf43e5f1e5b21a55250080227bf53c933dd96992595b
Instruction ID: c8ceb61669e6bb944f3b20b1102f38a0bed1c31708ab6bd851805169e0cceaca
Opcode Fuzzy Hash: b7df8c30f78f2238d2f6cf43e5f1e5b21a55250080227bf53c933dd96992595b
Instruction Fuzzy Hash: D311D3B59002098FDB10CF99D589BDEBBF8FB48324F24851AE959B7740C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0EC81A10, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0EC81A6D

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fcca9e59dc3ead9783982ff92a556a34bf03e08ef2b8ff2beb7be39e058d266d
Instruction ID: 6624804e7adaf22e2398d04cffe7f80117b146b5f24c7d7d34ff0a3a4f2cdc07
Opcode Fuzzy Hash: fcca9e59dc3ead9783982ff92a556a34bf03e08ef2b8ff2beb7be39e058d266d
Instruction Fuzzy Hash: 4211E5B58003499FDB10DF9AD588BDEFBF8FB48324F148419E914A7600C3B5A995CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0154D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.663757020.000000000154D000.00000040.00000001.sdmp, Offset: 0154D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12384ca2e3cacd34e98185e8cae49f1c8b71538bbf73c7e4f622d16ae3354938
Instruction ID: 670af55b2ccd1c282943f408ed1bd0249042160fb8333630c170150f502bd02a
Opcode Fuzzy Hash: 12384ca2e3cacd34e98185e8cae49f1c8b71538bbf73c7e4f622d16ae3354938
Instruction Fuzzy Hash: A72103B2504200DFDB05CF94D9C4B6ABBB5FB9832CF248569E9094F20AC736D856CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0195D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664166389.000000000195D000.00000040.00000001.sdmp, Offset: 0195D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6335e7541ec0a703e7e33ca745ba5d3adb724f09df7a2f0dc4522789b4a42705
Instruction ID: deb7a1afeb4f3aaa7035470af47fc618058a82d62529ea87a73c8bb9da90c032
Opcode Fuzzy Hash: 6335e7541ec0a703e7e33ca745ba5d3adb724f09df7a2f0dc4522789b4a42705
Instruction Fuzzy Hash: 3821CFB1504200AFDB45CF94D9C0B26BBA5FB88264F24C9ADED095B246C376D846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0195D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664166389.000000000195D000.00000040.00000001.sdmp, Offset: 0195D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715eda26548a39c0cea4a17979e2acbd04068e4e1336a91f9847507aeed7fbf2
Instruction ID: 187680d71c8a746280e7e414fe3ff5b142672499d4a508dd0e009f13da4c8442
Opcode Fuzzy Hash: 715eda26548a39c0cea4a17979e2acbd04068e4e1336a91f9847507aeed7fbf2
Instruction Fuzzy Hash: 452100B1604200DFDB55CF64D8C4B26BBA5FB88364F24C969ED0D5B246C37AD847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0195D005, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664166389.000000000195D000.00000040.00000001.sdmp, Offset: 0195D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8aa2f8e53d0487f1e70cadaa5c2d36d7615c224109d9eb9d7afde3543bb357
Instruction ID: 0b1f102be13acded91e73e4f8abd41536cbdd317943d5fd62c123f8e2ad589c2
Opcode Fuzzy Hash: 8d8aa2f8e53d0487f1e70cadaa5c2d36d7615c224109d9eb9d7afde3543bb357
Instruction Fuzzy Hash: E4216F755093C08FDB12CF24D994B15BFB1EB46214F28C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0154D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.663757020.000000000154D000.00000040.00000001.sdmp, Offset: 0154D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 3000c7b3dd381e2ab8e9677e3ec0d546afdacbc7f95206168d82321c2cd2ecda
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: A711B176504280CFCB12CF54D5C4B5ABF71FB98328F2886A9D8054F616C33AD456CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0195D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664166389.000000000195D000.00000040.00000001.sdmp, Offset: 0195D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction ID: bddad124aac5e7f400c20030680981756a0f4f07159ce799bab184217b2d3c15
Opcode Fuzzy Hash: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction Fuzzy Hash: C811BB75904280DFDB52CF54C5C4B15BBB1FB84324F28C6AEDC494B656C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0154D669, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.663757020.000000000154D000.00000040.00000001.sdmp, Offset: 0154D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee40c9a78840b9d9215a384d0f245ebcbb876b41fb52224fb806f24774c324b8
Instruction ID: 0c5ff29e5ec8e6950513200abff0be2fc3bacc28df2da3eabccc4bc298f5903b
Opcode Fuzzy Hash: ee40c9a78840b9d9215a384d0f245ebcbb876b41fb52224fb806f24774c324b8
Instruction Fuzzy Hash: 0801F7711083549BE7104A5ADC84766BBF8FF52628F08C45AFE0C5F246C3799840CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0154D668, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.663757020.000000000154D000.00000040.00000001.sdmp, Offset: 0154D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880b1244982bde649abdb5a0c9302df779bbe7c7aeb87440cf92625c74888679
Instruction ID: abf77969f2ff18eecb53b31c41face4238b392e2ed5090d6be351a5cdb92a8f2
Opcode Fuzzy Hash: 880b1244982bde649abdb5a0c9302df779bbe7c7aeb87440cf92625c74888679
Instruction Fuzzy Hash: 42F0C2714042489FE7108A1ADCC8B66FFF8EB92638F18C45AED081F286C3799844CAB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07CA3C00, Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

;@P:, xrefs: 07CA3DED
;@P:, xrefs: 07CA3DF4

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID: ;@P:$;@P:
API String ID: 0-4202871410
Opcode ID: 88a6e265fd62bb4d99a4b849d898913037f94146990caa2fe48e2738ba338981
Instruction ID: 3813e5402166617b830dd3641ce44ab988f324a2d03e010431752ee67eeda766
Opcode Fuzzy Hash: 88a6e265fd62bb4d99a4b849d898913037f94146990caa2fe48e2738ba338981
Instruction Fuzzy Hash: 316138B1D1424AEFCB14CFA6C8915EEFBB1BF89309F14C12AD415AB254D7389A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0EC83CF8, Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348ee2884eb08cc8f0dfeb7cf37ff4ec764764bbb199bc6f8c01762277b53bbb
Instruction ID: 36ab896cacd32e06ef4ad02830e1c65a981e637a9bd3ea5c5a5109e6b1ac6c26
Opcode Fuzzy Hash: 348ee2884eb08cc8f0dfeb7cf37ff4ec764764bbb199bc6f8c01762277b53bbb
Instruction Fuzzy Hash: F6F1DF70B112458FDB19EF7AC6A0BAEB7F6AF89708F104469E1169B294CB36DD01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 019BA758, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6e0b00fe5acb95000e15a5f7aec27666b823f51d6d76b53a25d0a1eafb0944
Instruction ID: f76333964312bcb1e5d0b93ac19523a8c6cce198de91480ad5872869b1fcb84e
Opcode Fuzzy Hash: fb6e0b00fe5acb95000e15a5f7aec27666b823f51d6d76b53a25d0a1eafb0944
Instruction Fuzzy Hash: 20A17136E0021ACFCF15DFA5C9845DDBBB6FF85301B15816AE909BB261EB35A905CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07CA9D58, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c27e12e2e97c09b838dfb7b669e02cfdd6247147a9f1d0d0bfdd6eb9ee7eac
Instruction ID: 4564e6c8532384dc092d365b64e3d7bc46386d8fd8ad13793770d2ceace34b30
Opcode Fuzzy Hash: 03c27e12e2e97c09b838dfb7b669e02cfdd6247147a9f1d0d0bfdd6eb9ee7eac
Instruction Fuzzy Hash: 20B11AB4E142199FDB14CF69C980AADFBB2FF89305F2491A9D409A7316D730AE41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07CA43E0, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d38e7eb9b0a0737304b5317d01d62bb55b5264503bb5c49ec6d37563791f8a
Instruction ID: fb0459d4e3c3a43c6ea95c346e17f9786a7035cfbe541fa88735efb488cba9a0
Opcode Fuzzy Hash: 52d38e7eb9b0a0737304b5317d01d62bb55b5264503bb5c49ec6d37563791f8a
Instruction Fuzzy Hash: 4CA133B4E0524ADFCB08CFAAC5805EEFBF2FF89205F24916AD405B7214D3749A418FA5

Uniqueness

Uniqueness Score: -1.00%

Function 019BC3A0, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.664359644.00000000019B0000.00000040.00000001.sdmp, Offset: 019B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9edbb3f258c8628e6819ff8dafd256088a26a8d03363b51c7bc54bedce0968a
Instruction ID: 2f2b4b6e129211ffe1c594e62cb8f693cc5495241c38384400ad69b4072da656
Opcode Fuzzy Hash: c9edbb3f258c8628e6819ff8dafd256088a26a8d03363b51c7bc54bedce0968a
Instruction Fuzzy Hash: 97C10CB96217468BE710CF64E88A18D7FA1BB85328F504309FE612BAD5DFB4354ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 07CA2CE8, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7df844de301ae5520492e069837d2f8fd27c199e165622d6a397d67e7375f5b
Instruction ID: 4c23e76c72a0a00131fd128ef44a7bd191d1225e1cd095c55e880582681f6f1e
Opcode Fuzzy Hash: b7df844de301ae5520492e069837d2f8fd27c199e165622d6a397d67e7375f5b
Instruction Fuzzy Hash: 258101B5E1521A9FCB44CFA9C98099EFBF1FF89215F14856AE405AB321D330AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07CA2CF8, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e52709163e7482eaee0fdad7345f8495761dfebd931184bd1c84d6d35a658d3
Instruction ID: 764283090d281d6cafb3b8bd669f60df8ea26d9d929c563f8e1747fa4fdf45f0
Opcode Fuzzy Hash: 5e52709163e7482eaee0fdad7345f8495761dfebd931184bd1c84d6d35a658d3
Instruction Fuzzy Hash: 9691F2B1E1525A9FCB44CF9AC58099EFBF1FF89315F24956AE405AB321D330AA42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0EC80011, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8830f55669200f5cb605225d53161c03ac3249425d6e4ad5d3317899bfab9c17
Instruction ID: d09ae7a6f522e5dcf81422198bcab1277c5a91c482df98b21032136799635839
Opcode Fuzzy Hash: 8830f55669200f5cb605225d53161c03ac3249425d6e4ad5d3317899bfab9c17
Instruction Fuzzy Hash: CB613971E15669CBEB24CF66CE447DAB7B2BFC9300F14C1EAC409A7614EB315A868F40

Uniqueness

Uniqueness Score: -1.00%

Function 07CA3908, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc625433b02890d17f09c4e0d80a85d036c1be5c2078b78247e1260f181ae5e
Instruction ID: 83e18821770e3e77a7bc877d5ad5ef8138799c9487ff9038ae0c5e5e30633e19
Opcode Fuzzy Hash: fbc625433b02890d17f09c4e0d80a85d036c1be5c2078b78247e1260f181ae5e
Instruction Fuzzy Hash: 867148B4E1425ADFCB04CFAAD5909AEFBB2FF89315F148419D415AB314D730AA82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07CA38F9, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc237908cf4f01abce208fd9f0b15bfcbeac306a6f806a9b2c505f5bc74d9125
Instruction ID: a580e4f87deb489f2cbada8827a796867ce313e6c39b78d8ea2547433b437aba
Opcode Fuzzy Hash: fc237908cf4f01abce208fd9f0b15bfcbeac306a6f806a9b2c505f5bc74d9125
Instruction Fuzzy Hash: 4A6179B4E1424ADFCB04CFAAC5908AEFBB2FF89315F148516D415A7310D734AA82CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0EC80040, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a99e8146ab9cebe00fcf2f436ae1be709ae1b11c01072faf0c31e9272d5e42
Instruction ID: 9889fd913b7de4c2d114b8396d735430ed9b5d08a8391d15f17ba563b78f20fa
Opcode Fuzzy Hash: e7a99e8146ab9cebe00fcf2f436ae1be709ae1b11c01072faf0c31e9272d5e42
Instruction Fuzzy Hash: 99612A71E15629CBEB24CF66CA4479EF7B6BFC9300F14D1AAC40DA6614E7315A868F00

Uniqueness

Uniqueness Score: -1.00%

Function 07CA0CA2, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b0e6102142dd7ba464a03c6874588481a85c9b8d3b33b37400575f98f29af6
Instruction ID: 0f049d328652c927e8e35b37e678cf96405e82e311a47f2e7b21b5717063e022
Opcode Fuzzy Hash: 95b0e6102142dd7ba464a03c6874588481a85c9b8d3b33b37400575f98f29af6
Instruction Fuzzy Hash: 1A515DB4E1521AEFCB04CF95D5805AEFBB2FF89345F25855AD404BB314E730AA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07CA41C0, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a46fc19af74efb13f1847a8a5f815b49d53b8a1bf0310a1429adf2c0a7af27
Instruction ID: 3335c910ebb947f53bca9e3949566dc0b5928117eecad96063cd137235113cb5
Opcode Fuzzy Hash: c3a46fc19af74efb13f1847a8a5f815b49d53b8a1bf0310a1429adf2c0a7af27
Instruction Fuzzy Hash: DE5102B4E1520ADFCB08CFAAC5809DEFBF2FF89215F24956AD415B7314D374AA018B64

Uniqueness

Uniqueness Score: -1.00%

Function 07CA41B0, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 257be7beb821e6d7ff6ca2a4da85091b5f59276f8756f36f9d66bccf7eb103fb
Instruction ID: 77171537d7c1f8575e7bbf715f69e8340c61fdca07e6d283446321477f219c86
Opcode Fuzzy Hash: 257be7beb821e6d7ff6ca2a4da85091b5f59276f8756f36f9d66bccf7eb103fb
Instruction Fuzzy Hash: 5A5114B4E1524ADFCB08CFAAC5809DEFBF2EF89211F14856AD405F7314D774AA418B64

Uniqueness

Uniqueness Score: -1.00%

Function 0EC8026A, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d1364c4829ee23d34bd45aaecac671ede9f67ae2b7a8d2133ff50d1cd568b0
Instruction ID: 19155e4481e6f7720fa6f09aff1b4f981bae08de96800aa0846fdde7d1a29d0b
Opcode Fuzzy Hash: e7d1364c4829ee23d34bd45aaecac671ede9f67ae2b7a8d2133ff50d1cd568b0
Instruction Fuzzy Hash: D3514874E1162ACBDB24CF26DA40B9DF7B2BB99310F1495E6D40AB3604E7359E85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 0EC8021B, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c63869938f9ea4f40a759d7c9e8559be7d6fcafbbb6ea9dec2240f390039ba3
Instruction ID: b6b65909fe281c90d492942994dcc4a91f9b8719f0abb8b5ca748b592000ebe1
Opcode Fuzzy Hash: 3c63869938f9ea4f40a759d7c9e8559be7d6fcafbbb6ea9dec2240f390039ba3
Instruction Fuzzy Hash: 8D511A70E1562ACBDB24CF26CA44BDDB7B2BB99300F1495E6C40AB2614E7359E85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0EC802AD, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb1a4e604f0964c27d378fbcc26e031071e51e62c0b07b838f0c9aa64eb9cad
Instruction ID: 854a91efaa28374df6f91ff838bb3f9c1db04ed27ae66ca8625c324ae4c39cc3
Opcode Fuzzy Hash: cdb1a4e604f0964c27d378fbcc26e031071e51e62c0b07b838f0c9aa64eb9cad
Instruction Fuzzy Hash: CF514B70E1162ACBDB24CF66CA40BDDF7B2BB99310F1485E6D409B2604E7359E858F04

Uniqueness

Uniqueness Score: -1.00%

Function 0EC80202, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.670475983.000000000EC80000.00000040.00000001.sdmp, Offset: 0EC80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707529dc89a42391231f4cba2aff4239078eb4f2c35a48660b74a5dfe5114f0b
Instruction ID: 3a3be0b44c633bc39fd6561fa3bec70494a2f504c00cd00fddc9eeaad341d595
Opcode Fuzzy Hash: 707529dc89a42391231f4cba2aff4239078eb4f2c35a48660b74a5dfe5114f0b
Instruction Fuzzy Hash: 79514B70E1162ACBEB24CF26CA40BDDF7B2BB99310F1485E6D409B2604E7359E868F44

Uniqueness

Uniqueness Score: -1.00%

Function 07CA43F0, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: debcb5cc7c83b648893783b611e3c5d8d8158639de4891a2e8581fbfeb726a4f
Instruction ID: 49d5bc3cff44d0c8a8caffd57937b7d1f96f593261d5cd0c3fe73198fa9070c8
Opcode Fuzzy Hash: debcb5cc7c83b648893783b611e3c5d8d8158639de4891a2e8581fbfeb726a4f
Instruction Fuzzy Hash: B041E8B0E0564ADBCB48CFAAC5805AEFBF2BF88305F24C16AC519A7214D7749B418F95

Uniqueness

Uniqueness Score: -1.00%

Function 07CA5190, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fcee7974c89c29fc71ff37a3127870ee24de12e4421761358f9856ca9dc4477
Instruction ID: 261fef1c5f58032633cf29743c12062d4dd481a0a5231b50b9c013dbc1b4609b
Opcode Fuzzy Hash: 7fcee7974c89c29fc71ff37a3127870ee24de12e4421761358f9856ca9dc4477
Instruction Fuzzy Hash: BE415AB1E056199BDB28CF6B9D4429AFBF3FFC8301F14C1BA850CA6214DB340A858E11

Uniqueness

Uniqueness Score: -1.00%

Function 07CA3FA8, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dafe13c22fff02c06ac4acfe8fd30c6e29182900c36c43d5ef56c6cc5abe54
Instruction ID: 2d7ecaeb14a60009f6073088c8ad905ca392ae8015cceae659cc3f415e2c0433
Opcode Fuzzy Hash: 46dafe13c22fff02c06ac4acfe8fd30c6e29182900c36c43d5ef56c6cc5abe54
Instruction Fuzzy Hash: F34129B0E0420ADFCB08CFAAC4805AEFBF2FF89305F14C06AC515A7254D7749A418F95

Uniqueness

Uniqueness Score: -1.00%

Function 07CA2B00, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2501670f7d210fb1f32a768db0bf05b408dc656933972b33be5fb9a58719e21
Instruction ID: 97abe6b9822feb9453620a9ff4b7d94fc0ead3cceaa3eba765270df3f0240c6c
Opcode Fuzzy Hash: c2501670f7d210fb1f32a768db0bf05b408dc656933972b33be5fb9a58719e21
Instruction Fuzzy Hash: FC4182B0E1421AEFCB04CFA5D98149EFBB2FFC9249F24C565C406A7215D7309A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07CA5180, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b4cd403a9a5e0de90f0ae47613a77a5573541c9ac787d0e6dfe66a2979a2ed
Instruction ID: 4765dee6dd7c628f92953c6415f611c7eb368d2f383f7dcc9d694e51061002af
Opcode Fuzzy Hash: e0b4cd403a9a5e0de90f0ae47613a77a5573541c9ac787d0e6dfe66a2979a2ed
Instruction Fuzzy Hash: AA413BB1E056198BEB58DF6B9D4468AFBF3BFC8301F14C1BA950CAA224DB3409858F11

Uniqueness

Uniqueness Score: -1.00%

Function 07CA3FB8, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bd4e43d06198ced32d4a5afd7e179f748bb811cff23348dc7991ac1486bfa4
Instruction ID: 02c4002a8ba566ff8a1697fdbd63c54a4f8bc6f7d20c20bd37d0080816b876b1
Opcode Fuzzy Hash: c5bd4e43d06198ced32d4a5afd7e179f748bb811cff23348dc7991ac1486bfa4
Instruction Fuzzy Hash: D641F7B0E0421ADBCB48CFAAC4805AEFBF2FF89305F24C06AC525B7254D7749A419F95

Uniqueness

Uniqueness Score: -1.00%

Function 07CA7BB8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22bcaec0c0dba9e11b047f22cdef36a00b19657300ce8d9eb7083b1e9c5ca0f
Instruction ID: 2e052d451c7fc960846261a5311e9d262ebd99067268f0ff885d506cbc1d40f8
Opcode Fuzzy Hash: d22bcaec0c0dba9e11b047f22cdef36a00b19657300ce8d9eb7083b1e9c5ca0f
Instruction Fuzzy Hash: FA1117B1E116199BDB48CFABD84069EFBF7FBC9210F14C03AD508B7214DB305A058B91

Uniqueness

Uniqueness Score: -1.00%

Function 07CA45C0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8821f2fddca7b6050b4c656da9769d1c96e5ead9fc9ce3ffb448c92925c3a88e
Instruction ID: dc4de8a58106f69e6461cbeee82303c6caf51a3c1169e5f691528f764ed2621c
Opcode Fuzzy Hash: 8821f2fddca7b6050b4c656da9769d1c96e5ead9fc9ce3ffb448c92925c3a88e
Instruction Fuzzy Hash: F22100B1E056589BEB0CCF6BD84069EFBF3AFC8200F08C17AC808AA255EB7406458F51

Uniqueness

Uniqueness Score: -1.00%

Function 07CA45D0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669958951.0000000007CA0000.00000040.00000001.sdmp, Offset: 07CA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03be1b99a2c7d21a6a3d0ce40a8e2393ccba84e10be641afcbcec14cdde2fe4a
Instruction ID: 0c7e453095ca62696c895f9a633ff71b78051b28084188305bfe224a20aeff39
Opcode Fuzzy Hash: 03be1b99a2c7d21a6a3d0ce40a8e2393ccba84e10be641afcbcec14cdde2fe4a
Instruction Fuzzy Hash: 1E11D7B1E056199BEB0CCFABD84069EFBF7BFC8201F08C17AC908A6254EB7416558F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: DUBAI CHEMEX REGA.exe PID: 3120 Parent PID: 6900 DUBAI CHEMEX REGA.exeCOMMON

Executed Functions

Function 00F90A76, Relevance: 9.7, APIs: 4, Strings: 1, Instructions: 976libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Strings

x l, xrefs: 00F922E6

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID: x l
API String ID: 243558500-2770355295
Opcode ID: 6eab6c21a1e01d1b59a24f5c5e4feebb2d395225be52596f51e6ca0e07b9cbe7
Instruction ID: a7d2a9646e0c71df7b4584ecb96aa804b63e2416152659f85135207897a9ccfc
Opcode Fuzzy Hash: 6eab6c21a1e01d1b59a24f5c5e4feebb2d395225be52596f51e6ca0e07b9cbe7
Instruction Fuzzy Hash: BCA21374A10229CFCB64EB24C99879DB7B6BF88305F1084EAD94AA3354DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F7AA98, Relevance: 3.3, Strings: 2, Instructions: 821COMMON

Download Yara Rule

Strings

Xc%l, xrefs: 00F7B24E
Xc%l, xrefs: 00F7B244

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID: Xc%l$Xc%l
API String ID: 0-1338683366
Opcode ID: 1289ac46bf3dd392f7dc10143b5f6b351f264d07f00a2c6038260d5004c70541
Instruction ID: 5cda217da51f0e580c334500fe13318584dce31854d18d1746bfd297050f436f
Opcode Fuzzy Hash: 1289ac46bf3dd392f7dc10143b5f6b351f264d07f00a2c6038260d5004c70541
Instruction Fuzzy Hash: BF52BF30F042059FDB15DB68C854BAEBBE2AFCA310F15C46AE519DB391DB34DC429B92

Uniqueness

Uniqueness Score: -1.00%

Function 00F74FCC, Relevance: 3.0, Instructions: 2982COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f2043ddf114b73154f80d6a338e006a0406dfab07abb6739735af977315eb5
Instruction ID: 12547dc2f7f7d74ad0223b8b0b514440ebd56d9c45661c28b80b1bbc4cce004d
Opcode Fuzzy Hash: e5f2043ddf114b73154f80d6a338e006a0406dfab07abb6739735af977315eb5
Instruction Fuzzy Hash: EF632F30D14B198ECB11EF68C884699F7B1FF99310F15D69AE44CAB221EB70AAC5DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00F74BC0, Relevance: 2.9, Instructions: 2902COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c363211fdc7a77eacb21933b6408ddf0bb125f22787c4b74502711b59ac58fd
Instruction ID: 06b64858581f629e2fbbe1fa858fe8f4dcda912bafd90bce1dddb3444669eb25
Opcode Fuzzy Hash: 2c363211fdc7a77eacb21933b6408ddf0bb125f22787c4b74502711b59ac58fd
Instruction Fuzzy Hash: 52631E30D14B198ECB11EF68C884A99F7B1FF99310F15D69AE44C6B221EB70AAC5DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9D70, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FEA4F8

Memory Dump Source

Source File: 00000004.00000002.910413277.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e30cdaea0984fb7dbb7b4e020c0cb30c4b3852268d91d3bc6bb7d1bec605527
Instruction ID: 27645504170ccda42ef4b58e1051dc1265f79ed945569a9f8b3e30411ca0f382
Opcode Fuzzy Hash: 9e30cdaea0984fb7dbb7b4e020c0cb30c4b3852268d91d3bc6bb7d1bec605527
Instruction Fuzzy Hash: F8621B71E006198FCB25EF78C9546DDB7F2AF89300F1085AAD54AAB354EF30AE85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DF24, Relevance: 1.9, Strings: 1, Instructions: 671COMMON

Download Yara Rule

Strings

8^%l, xrefs: 00F7E66B

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID: 8^%l
API String ID: 0-3725521276
Opcode ID: e16da11a7936a61e74f59306a2459b97f8dcf956689da74382071f098b47fa9b
Instruction ID: 9dbfe99a1e0aa5d1ec5a4b84340a45037326e54e78099da06b9256ad5ae8ec18
Opcode Fuzzy Hash: e16da11a7936a61e74f59306a2459b97f8dcf956689da74382071f098b47fa9b
Instruction Fuzzy Hash: A742A230E042488FEB24DB64C85479EBBB2AF99314F14C1ABD409AF396DB74DC45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 01010BE0, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0101239B

Memory Dump Source

Source File: 00000004.00000002.910532919.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 96b33db8596f8381a7a6d1339dcd63a2513227ef8a8477817af00802ed9e2b55
Instruction ID: bc55ececc1dbfa3e49a18c236360421c5ad3018b308cd8084e4cbd99f6f26897
Opcode Fuzzy Hash: 96b33db8596f8381a7a6d1339dcd63a2513227ef8a8477817af00802ed9e2b55
Instruction Fuzzy Hash: 062115B19002089FCB54DF99D848BEEFBF5FB88314F108429E855A7250D7B8A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F70040, Relevance: 1.1, Instructions: 1102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94f1e356f7e129d1ad332a0bc2b5f4a22bd8285a1dcdf7aab84f96d8b0030718
Instruction ID: 9d2873567746615ea2c465fea4eb01c60c3d2de83cb1ee1c97080a029d5fd707
Opcode Fuzzy Hash: 94f1e356f7e129d1ad332a0bc2b5f4a22bd8285a1dcdf7aab84f96d8b0030718
Instruction Fuzzy Hash: D1923D70F002188FEB24DB78C854BAEB6F2BF89350F1485AAD509EB380DF359D859B55

Uniqueness

Uniqueness Score: -1.00%

Function 00F71D90, Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 808a6b14c2b0940c50dd36d7cb570ba14a38d7279e78494dd6901f961c56d9f9
Instruction ID: 319c6776afa0748ac34578220d050b20e68157ba38e2979116247e97d87708f0
Opcode Fuzzy Hash: 808a6b14c2b0940c50dd36d7cb570ba14a38d7279e78494dd6901f961c56d9f9
Instruction Fuzzy Hash: 5522BE30F002059FEB60DB78C8947AE77E2BB85320F14C52AE549DB395DB74DC459B92

Uniqueness

Uniqueness Score: -1.00%

Function 00F72A28, Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00fe9ab0831390e70a706e156424c149c182cadd2c17fb2a5bc82cf69676a63
Instruction ID: 359c7ff5ac1f31a7c5dc90e89fa8c73111ffce8aa9d801750114df3d1cb504dd
Opcode Fuzzy Hash: f00fe9ab0831390e70a706e156424c149c182cadd2c17fb2a5bc82cf69676a63
Instruction Fuzzy Hash: 19F16D30F002098FCB55DFB8C84469DBBF2AF89324F15C566E819AB395DB35EC429B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F90A97, Relevance: 6.6, APIs: 4, Instructions: 632libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: d95a6a7be6ce75e1cc51306391662de5b88f8b1a92ac8b6e5356bfb4ff0ac197
Instruction ID: 46ec1c6b647375611397211a22e5365f4811c16957a817fc0c1401efda65529c
Opcode Fuzzy Hash: d95a6a7be6ce75e1cc51306391662de5b88f8b1a92ac8b6e5356bfb4ff0ac197
Instruction Fuzzy Hash: 77520374A10269CFCB64DB24D99879DB7B6BF88306F1084EAE50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90ADC, Relevance: 6.6, APIs: 4, Instructions: 625libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 25be037b15d3b958aca5702462604f8708a3059b699ba4e40c6ce2b7720ecb03
Instruction ID: 61b6e5a6a1d8b7a2d4108925c12c75c5fdf925b055efa31971e30c43e0a65e3e
Opcode Fuzzy Hash: 25be037b15d3b958aca5702462604f8708a3059b699ba4e40c6ce2b7720ecb03
Instruction Fuzzy Hash: D2520374A10269CFCB64DB24D99879DB7B6BF88306F1084EAE50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90B37, Relevance: 6.6, APIs: 4, Instructions: 614libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: e59e0dd09b30931000c9b32111f7a3a67a19c713d42cc6c47b238a1ffe0f5ba3
Instruction ID: 766719a938833b99ef64e632931ae83c5e05332eb55a8aa6f16a5497d6866d55
Opcode Fuzzy Hash: e59e0dd09b30931000c9b32111f7a3a67a19c713d42cc6c47b238a1ffe0f5ba3
Instruction Fuzzy Hash: 53520374A10269CFCB64DB24D99879DB7B6BF88306F1084EAE50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90B7C, Relevance: 6.6, APIs: 4, Instructions: 607libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: de7e49fbb8d1fd1d24f5683905761c2034a652bce360df31609f2d856c84cdf7
Instruction ID: 0aa4852e068be2ac3083f92ed541573a1743e94bc1053f8afc014739caaba48f
Opcode Fuzzy Hash: de7e49fbb8d1fd1d24f5683905761c2034a652bce360df31609f2d856c84cdf7
Instruction Fuzzy Hash: 4A520374A10269CFCB64DB24D99879DB7B6BF88306F1084EAE50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90BC1, Relevance: 6.6, APIs: 4, Instructions: 600libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: adea9a1d906f8f7dcf02d16271c1a686e65d98d0d224a72dd3a1288290bbcaea
Instruction ID: a754a56bacf56050157203e0a206c562d6003391b1756055b1a5563ad090f37e
Opcode Fuzzy Hash: adea9a1d906f8f7dcf02d16271c1a686e65d98d0d224a72dd3a1288290bbcaea
Instruction Fuzzy Hash: C4521474A10269CFCB64DB24D99879DB7B6BF88306F1084EAE50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90C06, Relevance: 6.6, APIs: 4, Instructions: 593libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: c9b9aa600db22f2f6bcf57f0f70c95b15884d00636a053230146e409d41b4ee3
Instruction ID: 04e8965d22bfa33963a252d5c995ffb2b347caecdd56aaea0b28c62b918416cb
Opcode Fuzzy Hash: c9b9aa600db22f2f6bcf57f0f70c95b15884d00636a053230146e409d41b4ee3
Instruction Fuzzy Hash: F0521374A10269CFCB64DB24C99879DB7B6BF88306F1084EAE50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90C4B, Relevance: 6.6, APIs: 4, Instructions: 586libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 989d40079248742000c97d5f6ac7d40d8b54e3b2104ca263e61b7e5c88975bf0
Instruction ID: 09e1d24d0e84af1de8d9e8a3569df860bc28b2de8dfb71472bd9c0f4837f2a5f
Opcode Fuzzy Hash: 989d40079248742000c97d5f6ac7d40d8b54e3b2104ca263e61b7e5c88975bf0
Instruction Fuzzy Hash: 04521474A10269CFCB64EB64C99879DB7B6BF88306F1084EAD50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90C90, Relevance: 6.6, APIs: 4, Instructions: 577libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 7b701f4b269677d7ef1186d55d157f74ee084acfd9533124922feccf6d1c9a75
Instruction ID: 2833ff9c2a5c7fe46ab894dee3871ca7808d4a78070d74fe73db93040d2bebc8
Opcode Fuzzy Hash: 7b701f4b269677d7ef1186d55d157f74ee084acfd9533124922feccf6d1c9a75
Instruction Fuzzy Hash: 34421474A10269CFCB64DB64C99879DB7B6BF88306F1084EAD50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90CCC, Relevance: 6.6, APIs: 4, Instructions: 572libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 6de5972a69a134588034cec2c5cd63cf3f15725a9f9e6a44bf7460dc39d24620
Instruction ID: f1ef8c7c70066f9756368e3e469877609fc9f1772cea98fe997b1fe4615427c9
Opcode Fuzzy Hash: 6de5972a69a134588034cec2c5cd63cf3f15725a9f9e6a44bf7460dc39d24620
Instruction Fuzzy Hash: 90421474A10269CFCB64DB64C99879DB7B6BF88306F1084EAD50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90D11, Relevance: 6.6, APIs: 4, Instructions: 565libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 7351b28fb78f968f402580196b48f448fef17d669eb8972524edcef4be87777c
Instruction ID: 7a7736993f782709cf8349c426a7e9c56913b16a3f07307be16a0993fe7243db
Opcode Fuzzy Hash: 7351b28fb78f968f402580196b48f448fef17d669eb8972524edcef4be87777c
Instruction Fuzzy Hash: F2421474A10269CFCB64EB64C99879DB7B6BF88306F1084EAD50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90D56, Relevance: 6.6, APIs: 4, Instructions: 558libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 8b80973eca595854598733d0192f3c9fa87bbd2d699534128083a575685c12de
Instruction ID: 97b6d0f8fca0587a68bc9bbeced6c344adec06e410e6c01e24b8b0fe45f4b565
Opcode Fuzzy Hash: 8b80973eca595854598733d0192f3c9fa87bbd2d699534128083a575685c12de
Instruction Fuzzy Hash: 26421474A10269CFCB64EB64C99879DB7B6BF88306F1084EAD50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F90D9B, Relevance: 6.6, APIs: 4, Instructions: 551libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F90ED5
KiUserExceptionDispatcher.NTDLL ref: 00F913B9

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionInitializeThunkUser
String ID:
API String ID: 243558500-0
Opcode ID: 0bd133d901ed4cf8b453f384e77afdaef20b9f72628331e1917a8ffb2166e68a
Instruction ID: d4ab207e287cb1c2467206b373ad4f8c7f438f709d8313bbaa26fff445fae2ac
Opcode Fuzzy Hash: 0bd133d901ed4cf8b453f384e77afdaef20b9f72628331e1917a8ffb2166e68a
Instruction Fuzzy Hash: 14421474A10269CFCB64EB64C99879DB7B6BF88306F1084EAD50AA3354CF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F911FD, Relevance: 4.9, APIs: 3, Instructions: 384COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F913B9
KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 405e2fe32799c93640eb2321e52e5544504e77cbea7f808767c1bff5ac805e51
Instruction ID: fc02975a3f137d476bade298457e814e9d36313f8a2766fe00d0ebc7bec368b2
Opcode Fuzzy Hash: 405e2fe32799c93640eb2321e52e5544504e77cbea7f808767c1bff5ac805e51
Instruction Fuzzy Hash: 670225B5A10229CFDB64DB24C98479DB7B6BF89306F1084EAD60AA3350CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F91242, Relevance: 4.9, APIs: 3, Instructions: 377COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F913B9
KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f7ddec3ec61812ead96c8bbf4416aeec5b0e5ebe2f69b2368f00152980afbf36
Instruction ID: 1f9ea0949190767d7d23f9c6aa0782efc2aeb6ec045066cf98ac89f6e1843e3e
Opcode Fuzzy Hash: f7ddec3ec61812ead96c8bbf4416aeec5b0e5ebe2f69b2368f00152980afbf36
Instruction Fuzzy Hash: 630215B5A10229CFDB64DB24C98479DB7B6BF89306F1084EAD60AA3350CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F91287, Relevance: 4.9, APIs: 3, Instructions: 370COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F913B9
KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3f7abfa8732694abbe7423ec14266818ecfe60fa4c48503229e5ed74e5af4145
Instruction ID: 4da3e6c71d0d7a286493b570557a9ecdc99034550747ec2d4566456ef19bb46d
Opcode Fuzzy Hash: 3f7abfa8732694abbe7423ec14266818ecfe60fa4c48503229e5ed74e5af4145
Instruction Fuzzy Hash: 3C0226B5A10229CFDB64DB24C98479DB7B6BF89306F1084EAD60AA3310CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F912CC, Relevance: 4.9, APIs: 3, Instructions: 363COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F913B9
KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1e13b1a75be1bfbcd0fdae2a9751777793d6c81114f4cac5963d70ff4119f213
Instruction ID: e69fa6a96bd24d67dbc1bee64ee84370ba032672d858fed294866aaf40bdca2d
Opcode Fuzzy Hash: 1e13b1a75be1bfbcd0fdae2a9751777793d6c81114f4cac5963d70ff4119f213
Instruction Fuzzy Hash: 340224B5A10269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F91311, Relevance: 4.9, APIs: 3, Instructions: 354COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F913B9
KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b3b78d615e27d3468826d69d07d00fd579d8ec67c9fc1b348da128d2f26aa39b
Instruction ID: 3462cfbf06259cf76fd49c64df27fb358d119c31fbc48d736776e15ac943faab
Opcode Fuzzy Hash: b3b78d615e27d3468826d69d07d00fd579d8ec67c9fc1b348da128d2f26aa39b
Instruction Fuzzy Hash: F0F125B5A10269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F9134D, Relevance: 4.8, APIs: 3, Instructions: 349COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F913B9
KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fe378a442d2612d24e0c6af4a6e8f7c754f3915db15bd9bf8ec6d9977562a4c3
Instruction ID: 45b29da16da7e20c88a1804e1952ce27d34fb6f12d2ddd0cca30dcc2be24ff0c
Opcode Fuzzy Hash: fe378a442d2612d24e0c6af4a6e8f7c754f3915db15bd9bf8ec6d9977562a4c3
Instruction Fuzzy Hash: 5CF125B5A10269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F91392, Relevance: 4.8, APIs: 3, Instructions: 342COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F913B9
KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 198aeedb95feba7718311884df2494d50342fb192bc4197acfc009eb3cd281d7
Instruction ID: aba77391d3039dc4bad3787d479fd57a5cdacb748f4e00bffe771c7c61a1cc20
Opcode Fuzzy Hash: 198aeedb95feba7718311884df2494d50342fb192bc4197acfc009eb3cd281d7
Instruction Fuzzy Hash: 7EF126B5A10269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F913DA, Relevance: 3.3, APIs: 2, Instructions: 335COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e24ed1cedbff56872c695ae5c953f8c509934d9aae61da0ce5b8c642d77f3034
Instruction ID: 86d0e063042a25028c0894c9724e60474b78b9bf8f9eba05583fed8d632cd1df
Opcode Fuzzy Hash: e24ed1cedbff56872c695ae5c953f8c509934d9aae61da0ce5b8c642d77f3034
Instruction Fuzzy Hash: CBF125B5A10229CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F91422, Relevance: 3.3, APIs: 2, Instructions: 328COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c07d058903cd6ebc6c35a7e74d446af3cf8c0d3dfbbc6bf5fb346a85ab479500
Instruction ID: b73e07292d3872cb78cea6684546f7500a4314957c32c9d591b94b2b8d70a6db
Opcode Fuzzy Hash: c07d058903cd6ebc6c35a7e74d446af3cf8c0d3dfbbc6bf5fb346a85ab479500
Instruction Fuzzy Hash: F8F127B5A10229CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F9146A, Relevance: 3.3, APIs: 2, Instructions: 321COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1ba9e3934a9044f2fa5aa031c61012c7abaddb74cec3b312ec48134a6848b36b
Instruction ID: be92f0eee4f360d02fbe0caaa114c3ede7e21d2ccff77d1d10468b4c5a4bc4df
Opcode Fuzzy Hash: 1ba9e3934a9044f2fa5aa031c61012c7abaddb74cec3b312ec48134a6848b36b
Instruction Fuzzy Hash: 18E115B5A10229CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350CF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F914B2, Relevance: 3.3, APIs: 2, Instructions: 314COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 333bba80b3db2c08085ba06982d0d4b25a258c34696bccaa20321304dbb2e845
Instruction ID: 72b05cf35db01ad6d13105eaaaedfd725ed7ef530ca7645eeb1e6b4e88a0e031
Opcode Fuzzy Hash: 333bba80b3db2c08085ba06982d0d4b25a258c34696bccaa20321304dbb2e845
Instruction Fuzzy Hash: 2EE117B5A10229CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350CF359E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F914FA, Relevance: 3.3, APIs: 2, Instructions: 307COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: feb9767fd6e9da7a98f9b3c4bc86a22a445a809d7aac087a91a8c13ce279ef71
Instruction ID: 8ce2bd1fc05b08ff938ecb658624f5d747225c6eba6b55906a6ef508ff936389
Opcode Fuzzy Hash: feb9767fd6e9da7a98f9b3c4bc86a22a445a809d7aac087a91a8c13ce279ef71
Instruction Fuzzy Hash: BEE125B5A10229CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3310CF349E85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F91542, Relevance: 3.3, APIs: 2, Instructions: 300COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3d40f3e57291d8fe315707c0357a2493c34f23c70ea9c96ce7510f40bf3ea31e
Instruction ID: 83100d59be8bf5916fa7d97221e1e21eb524bcc157f759f16f4c70a55e4f10d9
Opcode Fuzzy Hash: 3d40f3e57291d8fe315707c0357a2493c34f23c70ea9c96ce7510f40bf3ea31e
Instruction Fuzzy Hash: C7D134B1A10229CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3310DF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F9158A, Relevance: 3.3, APIs: 2, Instructions: 293COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8ec49987b3815f2f549f96f812e006e353c71b01a26945b343c78dc72e777af8
Instruction ID: c66434b07cf74f296a08b2772ba068584dda04266052e04362f71a18e8d287e6
Opcode Fuzzy Hash: 8ec49987b3815f2f549f96f812e006e353c71b01a26945b343c78dc72e777af8
Instruction Fuzzy Hash: 62D135B5A10269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3310CF349E85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F915D2, Relevance: 3.3, APIs: 2, Instructions: 286COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2743f156b6537e965bf0ff8e348ec54d85e8f551f56324f86b4b458ab9d43d9e
Instruction ID: e578a2f39d5376300549b91267ab6147beb32781e866cd425e9ec0fe6ab3844e
Opcode Fuzzy Hash: 2743f156b6537e965bf0ff8e348ec54d85e8f551f56324f86b4b458ab9d43d9e
Instruction Fuzzy Hash: 45D145B5A10269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3310CF349E85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F9161A, Relevance: 3.3, APIs: 2, Instructions: 277COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9a5313137b62bc26fbb17eb6cf19edb5ba16dd0032a505641522c8adacb18a3d
Instruction ID: 67d4e355a79af61fbbfa03d4039909a80bbd617c4f252a86365839e98492cbdc
Opcode Fuzzy Hash: 9a5313137b62bc26fbb17eb6cf19edb5ba16dd0032a505641522c8adacb18a3d
Instruction Fuzzy Hash: 8DC146B1A10269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3310CF349E85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F91656, Relevance: 3.3, APIs: 2, Instructions: 270COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F91671
KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b95f14d3bce2a025b80cced92ab05f4dfd501cb85a9ce90b6e2120a45760edfb
Instruction ID: 2714f8222b3a82260c624c8c1fb2d0e722259f4ff1135f7bdba927347e68b7ff
Opcode Fuzzy Hash: b95f14d3bce2a025b80cced92ab05f4dfd501cb85a9ce90b6e2120a45760edfb
Instruction Fuzzy Hash: 5DC147B0A10269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350DF349E85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F7E858, Relevance: 2.0, Strings: 1, Instructions: 721COMMON

Download Yara Rule

Strings

x l, xrefs: 00F7ED94

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID: x l
API String ID: 0-2770355295
Opcode ID: df997ae2b0205e97e33bc5f3a963d6562d7f90e5f4fc8e3f98966130be9d4b4c
Instruction ID: 20ccb70f02c671425453c9827ab152cc68fb1330b7d86ff8c87b60459f3ec5bd
Opcode Fuzzy Hash: df997ae2b0205e97e33bc5f3a963d6562d7f90e5f4fc8e3f98966130be9d4b4c
Instruction Fuzzy Hash: 6B429231B042048FDB258B68C45476D7BA6AF89314F29C4BBE50ACF3A1DB35DC46E752

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5350, Relevance: 2.0, APIs: 1, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910413277.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120829c48c00089c994575b7ee534869561036069cbfee4e30ecf7b723c10e25
Instruction ID: c159f3e1939bf050651a13bd3bc8809519ad7ab98025be9aa092d5d5e839cc9f
Opcode Fuzzy Hash: 120829c48c00089c994575b7ee534869561036069cbfee4e30ecf7b723c10e25
Instruction Fuzzy Hash: E902FE30B04204DFDB10ABB5D858BAEBBF2AF84729F508529E456DB399DF399C05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8530, Relevance: 1.8, APIs: 1, Instructions: 337libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE8807

Memory Dump Source

Source File: 00000004.00000002.910413277.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a655ce4d6a10de730d92af9492e416df072839f7e330f4be378bfe5674d0167a
Instruction ID: e61fa0e799b75ac8a15550331eb0247afa4358ad0f72d798e570ce6ddca19ad8
Opcode Fuzzy Hash: a655ce4d6a10de730d92af9492e416df072839f7e330f4be378bfe5674d0167a
Instruction Fuzzy Hash: 76C10030F042058FDB11EBB4C848AAEBBF2AF84314F15896AD44ADB395DF74DC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 0101CB28, Relevance: 1.8, APIs: 1, Instructions: 329libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0101CB01,00000800), ref: 0101CEFA

Memory Dump Source

Source File: 00000004.00000002.910532919.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 84ddc37cfb3e980d0cff9038ad56a9eed79659d36762afb5eb237abe18819239
Instruction ID: 165252895f2a0592bfbb71a2ff81ad5c58dfa863c0a9c1b0ce1dfa5702d2afd4
Opcode Fuzzy Hash: 84ddc37cfb3e980d0cff9038ad56a9eed79659d36762afb5eb237abe18819239
Instruction Fuzzy Hash: F8D14974A402088FEB64CB68C584BADBBF1FF49710F1084A9E546EB765C779EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F916A8, Relevance: 1.8, APIs: 1, Instructions: 261COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 699f51aabc24339123451e7d8c2571994fb2a09a7318ca67ec2e890975cabd16
Instruction ID: cfe0907637709c13c5dfc3bd2ecd405976bf43c01ae9156dce48ab8227000f9e
Opcode Fuzzy Hash: 699f51aabc24339123451e7d8c2571994fb2a09a7318ca67ec2e890975cabd16
Instruction Fuzzy Hash: EFC156B0A10269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3350DF349E85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F916F0, Relevance: 1.8, APIs: 1, Instructions: 254COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2f69c0f20e57fbd0fc405e60669fc48857e024fa0ef8b1bcd5955cd3db4a65df
Instruction ID: dd4ea7d66b05aae05268203eef7a4bed67dd9bee84a188f534be5c215fc177af
Opcode Fuzzy Hash: 2f69c0f20e57fbd0fc405e60669fc48857e024fa0ef8b1bcd5955cd3db4a65df
Instruction Fuzzy Hash: 3BB167B0A00269CFDB64DB24C98479DB7B6BF88306F1084EAD60AA3310DF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F91738, Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e220381effb0448064a9e0c3f45858f99ad1daf3444cb384687eb56eabb3de4e
Instruction ID: 69355d6372cb7740305de95a786f92c34576ed95cbc368d312b9dcd408952cf5
Opcode Fuzzy Hash: e220381effb0448064a9e0c3f45858f99ad1daf3444cb384687eb56eabb3de4e
Instruction Fuzzy Hash: 11B168B0A10269CFDB64DB24C99479DB7B6BF88306F1084EAD60AA3350DF349E81DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00F91780, Relevance: 1.7, APIs: 1, Instructions: 240COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 52ae87ae25f3be2a208a2c9b6d9aa3056a5ce5696d6f1c204678c3369a4637cb
Instruction ID: 131f87bbf88ff326019fe5de3657bcb6b53510af2b8b3f3d76a4d0052489b503
Opcode Fuzzy Hash: 52ae87ae25f3be2a208a2c9b6d9aa3056a5ce5696d6f1c204678c3369a4637cb
Instruction Fuzzy Hash: 5EB159B0A10269CFDB64DB24C99479DB7B6BF88306F1084EAD60AA3350DF349E85DF15

Uniqueness

Uniqueness Score: -1.00%

Function 00F917C8, Relevance: 1.7, APIs: 1, Instructions: 233COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c7497acdcd3a3e62c309679c443f90baa4e77c93079998fd7315336019c329ee
Instruction ID: 35361365eca6ce67ece8e00cbc3fed54b635b587c4a073f1fdf808c60afd2027
Opcode Fuzzy Hash: c7497acdcd3a3e62c309679c443f90baa4e77c93079998fd7315336019c329ee
Instruction Fuzzy Hash: A0A159B0A00269CFDB64DB24C99479DB7B6BF88306F1084EAD609A3350DF349E85DF15

Uniqueness

Uniqueness Score: -1.00%

Function 00F91810, Relevance: 1.7, APIs: 1, Instructions: 226COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: adb1b7ee3fdee048abd7c3effe6b150e050bb877f81fc5da751780e3602d6be3
Instruction ID: 0ae9dc8d4867484a75d533d25b836e4c9df8192edca2e7ba1308399a8581d5c0
Opcode Fuzzy Hash: adb1b7ee3fdee048abd7c3effe6b150e050bb877f81fc5da751780e3602d6be3
Instruction Fuzzy Hash: E2A15AB0A00269CFDB64DB24C99479DB7B6BF88306F1084EAD609A3750DF349E85DF15

Uniqueness

Uniqueness Score: -1.00%

Function 00F91858, Relevance: 1.7, APIs: 1, Instructions: 219COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7033b8f550ebcb694b6a876c20fcff68fa3051ef83c505a2b389378b509af5b5
Instruction ID: e682ab8f8b560f78adcb2438cadfaaae86dba4da0dab19dd00b303390ed49258
Opcode Fuzzy Hash: 7033b8f550ebcb694b6a876c20fcff68fa3051ef83c505a2b389378b509af5b5
Instruction Fuzzy Hash: FDA16AB0A10269CFDB64DB24C9947ADB7B6BF88306F1084EAD609A3740DF349E81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00F918A0, Relevance: 1.7, APIs: 1, Instructions: 210COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 00F918BB

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d1c9195593414252f4dbb356b329b818ca50195532eaa4695b72f1b9d5b6158f
Instruction ID: 7b7478af78809143685d9fc8d7d9b042c2610fe9ceb99520cf306d64b072bb75
Opcode Fuzzy Hash: d1c9195593414252f4dbb356b329b818ca50195532eaa4695b72f1b9d5b6158f
Instruction Fuzzy Hash: 19916AB0A00269CFDB64DB24C9947ADB7B6BF88306F1084EAD609A3740DF349E85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 01010F68, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910532919.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6944aa568ad3bc92cf5a9fd10e286245a68f288290ad962d32ad6299da665c72
Instruction ID: 839ccb4c7dc9ef55df0b7419fee521cd0c0b7d31fd12be0ec6c751283c27e2b6
Opcode Fuzzy Hash: 6944aa568ad3bc92cf5a9fd10e286245a68f288290ad962d32ad6299da665c72
Instruction Fuzzy Hash: 7B414871E083998FCB05DFB9C8442AEBFF0AF89210F1585AEE544E7251DB789885CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9FA18, Relevance: 1.6, APIs: 1, Instructions: 120registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,?,?,?,?,?), ref: 00F9FB21

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: d1ef9be32cee00020d91b82d64d19769dbc7b1f355d399ea923be9159dbb9e73
Instruction ID: f6d783d523445f7a43f9a6ff76ee9e52d69662b4030e176669bae7c353033b7f
Opcode Fuzzy Hash: d1ef9be32cee00020d91b82d64d19769dbc7b1f355d399ea923be9159dbb9e73
Instruction Fuzzy Hash: E94126B1E04209DFDB10CFA9C984A9EBBF5BF48724F158029E819AB350D7749C0ADF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F9ED48, Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,?,?,?,?,?), ref: 00F9FB21

Memory Dump Source

Source File: 00000004.00000002.910377858.0000000000F90000.00000040.00000001.sdmp, Offset: 00F90000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: abc0414bc2685cda24a153cea2399fdeecea9a2c8a226752978b33bfd4b77c24
Instruction ID: b80e532c952292172547f8c80a03f1298651146d78e3e1051b61f49feeba4bd2
Opcode Fuzzy Hash: abc0414bc2685cda24a153cea2399fdeecea9a2c8a226752978b33bfd4b77c24
Instruction Fuzzy Hash: 0631D0B1D012599FDB10CF9AC884A9EBBF5FF48714F54802AE819AB350D7749949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01012319, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0101239B

Memory Dump Source

Source File: 00000004.00000002.910532919.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 46207a3b722ecbf48fcbafdb4e909b2d85dc6fbfd8092ee4b7038e499fd9dd91
Instruction ID: f1af8c8d16ac429393f6b4d11c29ca41edab437420b470bbd2f44a04add93545
Opcode Fuzzy Hash: 46207a3b722ecbf48fcbafdb4e909b2d85dc6fbfd8092ee4b7038e499fd9dd91
Instruction Fuzzy Hash: 672135B19002088FCB54CF99D848BEEFBF5BB88314F10842AE469A3250C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101B394, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0101CB01,00000800), ref: 0101CEFA

Memory Dump Source

Source File: 00000004.00000002.910532919.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b0b964075d46596aeab4947b44606acfc82fd2e6db1dced2768103000da74783
Instruction ID: 396c25b3bf2651b2c506a0664bb60f3cf321c2ab137dd5ebabbaad02d486f64c
Opcode Fuzzy Hash: b0b964075d46596aeab4947b44606acfc82fd2e6db1dced2768103000da74783
Instruction Fuzzy Hash: 911117B69002098FDB10CF9AC544BDEFBF4EB48314F14842EE555B7600C379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01010B64, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,01010FBA), ref: 010110A7

Memory Dump Source

Source File: 00000004.00000002.910532919.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 23c7476acfcd51d7464bc8962cdc694010aa2208a55f3322afcfffc09ce2ce51
Instruction ID: 842cfe2d07032018230d2697278944843688d540f3c21d0f2d36c5119bb2eeb5
Opcode Fuzzy Hash: 23c7476acfcd51d7464bc8962cdc694010aa2208a55f3322afcfffc09ce2ce51
Instruction Fuzzy Hash: C31133B1D002599FCB10CFAAC4447EEFBF4AB48324F04816AE914B7200D3B8A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 01011039, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,01010FBA), ref: 010110A7

Memory Dump Source

Source File: 00000004.00000002.910532919.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: abd75b3abe5431afd0111455a3b3369c99213c7ad2f2de8d403feff822d5b9d3
Instruction ID: 3f47adb08d8fb680486c7c1e5a2aecf193cb645629a6b3cb058339dc1761c640
Opcode Fuzzy Hash: abd75b3abe5431afd0111455a3b3369c99213c7ad2f2de8d403feff822d5b9d3
Instruction Fuzzy Hash: EF1130B1D002599FCB00CFAAC4447EEFBF4AF48224F15816AE818B7240D3B8A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0101CE89, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0101CB01,00000800), ref: 0101CEFA

Memory Dump Source

Source File: 00000004.00000002.910532919.0000000001010000.00000040.00000001.sdmp, Offset: 01010000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 305e331c40e38f7ee5aa7ce4f81905d6f32daae2dc05e4b46e8992ef32d84fa6
Instruction ID: 19adf50ba8100e0c6fb9287f4aaf860fd14edc4ce7de7d3ac0aad391ce1916ca
Opcode Fuzzy Hash: 305e331c40e38f7ee5aa7ce4f81905d6f32daae2dc05e4b46e8992ef32d84fa6
Instruction Fuzzy Hash: 711114B29002488FDB10CF9AC944BDEFBF4EB89324F14846EE959B7600C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FE5718, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00FE5759

Memory Dump Source

Source File: 00000004.00000002.910413277.0000000000FE0000.00000040.00000001.sdmp, Offset: 00FE0000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41431539676bca26825236bae0281381d78010764dffef1d195ea9815a963e91
Instruction ID: b128b888bc95acc8acf9a8705ca46017953f2dba103abd42a6b1ead46ec6ab4f
Opcode Fuzzy Hash: 41431539676bca26825236bae0281381d78010764dffef1d195ea9815a963e91
Instruction Fuzzy Hash: 0D114930E01249EFCB14DFA5D498BDEBBB2FF85319F108529E401AB395DB35A845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F73280, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

D0%l, xrefs: 00F7333F

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID: D0%l
API String ID: 0-3182299250
Opcode ID: cbeeab12991743847b25081c6622a258ede56cdcf1a08481453c3968fc00f74a
Instruction ID: b18b7f2cbe2fe67f0fab169083a51b04ba8c13017eafa91241db292393718576
Opcode Fuzzy Hash: cbeeab12991743847b25081c6622a258ede56cdcf1a08481453c3968fc00f74a
Instruction Fuzzy Hash: C6218030E14108ABDB14EBB4D844BEEBBB6EF8D324F50802AD506A7284DF345D01EB66

Uniqueness

Uniqueness Score: -1.00%

Function 00F73510, Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fa3f603ddaf31001a6e08824f91d1c938ec30233921312dbac4b01997d2868
Instruction ID: b5777cc6152921f9749640d8a87370b5983b7d97b4bac1d903ba233466e547fd
Opcode Fuzzy Hash: 82fa3f603ddaf31001a6e08824f91d1c938ec30233921312dbac4b01997d2868
Instruction Fuzzy Hash: 0322F030F082049FDB159B78C844BAD7BE2AF85314F15C1AAE449DF396DB34DD06AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F71D8F, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8994f298ac50c737ec2cba73c292f3b89c30e4870f5a647d07d982ab8d57b566
Instruction ID: 067029a8ac8f28171afa09daa74ed16ac1df502e7fe2b32e91d862ca3a754039
Opcode Fuzzy Hash: 8994f298ac50c737ec2cba73c292f3b89c30e4870f5a647d07d982ab8d57b566
Instruction Fuzzy Hash: 31B15930E0010A9BEF60DA68C4847ADB7B1FB55320F60C92BE419EB351DB75EC85DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B858, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f26fbcbe748a522c8034892c5405456329930da2ed3e894bec5d05a48b0a0e99
Instruction ID: eee14c482fe3b7a7809189b5f9e9ee4ff2d75e38251b15731e22bcf6be2cf1c3
Opcode Fuzzy Hash: f26fbcbe748a522c8034892c5405456329930da2ed3e894bec5d05a48b0a0e99
Instruction Fuzzy Hash: 25A19E71E04209DFCF15CFA8C844B9EBBB2BF8A310F148166E919AB365D730AC55DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DB92, Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c8b6f783252fcc42130c9e65f185ce012c6ff40caaceb9ac81522d7a7543da
Instruction ID: 81fb1077c7812c1abeb99cc051c6c9f7083a4092ed371e02550c93904bedd9f0
Opcode Fuzzy Hash: 63c8b6f783252fcc42130c9e65f185ce012c6ff40caaceb9ac81522d7a7543da
Instruction Fuzzy Hash: 4281B234B042048FCB15EBB4D4647AE76E3AFC8310F14846AE946DB798EF789C068792

Uniqueness

Uniqueness Score: -1.00%

Function 00F748B0, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ff44dc6394164e354a36c9240e11218923c3009133d54c468639703bc36e66
Instruction ID: 171266f45928643d3b2d0e52ca2954650816564956aa421ae8081993ca42e805
Opcode Fuzzy Hash: e4ff44dc6394164e354a36c9240e11218923c3009133d54c468639703bc36e66
Instruction Fuzzy Hash: F5810E30E042408FEB10CB68C944799BBE6AF85324F24C1ABD51C9F796EB79EC05C792

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DBF0, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e188da4e0e1a8065b614be3c644fa113ea33fa4b9b953de0af6a52ab930da847
Instruction ID: b05f9e1d305958ccf1f04f67d85854d246901ed38db7f8b891d6724e6dcb1c84
Opcode Fuzzy Hash: e188da4e0e1a8065b614be3c644fa113ea33fa4b9b953de0af6a52ab930da847
Instruction Fuzzy Hash: FB71A334F002048BCB14EB74D4647AE76F3AFC8354F148429E94ADB788EF799C428B92

Uniqueness

Uniqueness Score: -1.00%

Function 00F744D0, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019deaa38b07e668484adb99cc3904b520905f5846486b2d9aef2f319220c25c
Instruction ID: dcef848852d47bdda52f7346570df3a35a3a4bfdcafdd0e815e4f068a48778af
Opcode Fuzzy Hash: 019deaa38b07e668484adb99cc3904b520905f5846486b2d9aef2f319220c25c
Instruction Fuzzy Hash: F3718230B092408FD702DB789854B6A7BF19F86314F19C0A6D54CCB7A7EB39EC069B52

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B538, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3da251163a924748d4a1ddf76e1ed24e7dc8f72afd42668bb9d52e2b56df77ad
Instruction ID: 20145736de781b463ede1c3ee8c6ea796c41de8c2f2c68074e2b2bf795d10170
Opcode Fuzzy Hash: 3da251163a924748d4a1ddf76e1ed24e7dc8f72afd42668bb9d52e2b56df77ad
Instruction Fuzzy Hash: 047110347002458FCB15DF28C898B6E7BE5AF8A750F1980AAE909CB371DB74DC42DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F73FA0, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c150565b32e9367b6d50e8c07dcd02cf46d6e5dc17db128bf5f479025eec81
Instruction ID: 15f04cb56e539dff6583fe0fe8917dd4a8c32df39a8f7933f8cc5df65a4bf034
Opcode Fuzzy Hash: e5c150565b32e9367b6d50e8c07dcd02cf46d6e5dc17db128bf5f479025eec81
Instruction Fuzzy Hash: BE514330F082088FEB16A774C8543AE7AE2AFC5354F15C07AE5489B382DF789C85D792

Uniqueness

Uniqueness Score: -1.00%

Function 00F70011, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d41c6572a3461c1bd421e313254fdcdc1664314f4fb10661c11d80281becb97
Instruction ID: ca4700fbae5448b7257483cf210ca86ad5c18c17a0dc1fe7535d36780678d3bc
Opcode Fuzzy Hash: 5d41c6572a3461c1bd421e313254fdcdc1664314f4fb10661c11d80281becb97
Instruction Fuzzy Hash: 5A516770F042499FCB15ABB4D95879EBBB2AF89204F0084AAD54AEB341EF389D45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DEDC, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8532feb8a7eb6f5a7cd5d55ebd60fa814fb0eb9cb8cfa29f937c38e92524f78b
Instruction ID: 286c676a1e9e591153bc95bef088e4d43b9e74dbb98c9a697d480c1d6ed3f328
Opcode Fuzzy Hash: 8532feb8a7eb6f5a7cd5d55ebd60fa814fb0eb9cb8cfa29f937c38e92524f78b
Instruction Fuzzy Hash: 3041A734F002158FDB24AB74D42876D76F7AF88750F148429D846DB398EF799C429B92

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B9AB, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a4b415807b3a6139b952e0e3af11583e86c422925866c9d4416e8b7be8d414
Instruction ID: 71db4bd4984979932b9379b84dddedd6c0873fe1d7687a5470cde776bf6e52b3
Opcode Fuzzy Hash: 57a4b415807b3a6139b952e0e3af11583e86c422925866c9d4416e8b7be8d414
Instruction Fuzzy Hash: D2419231A04209DFDF11DFA8C844B9EBBB2AF4A324F04C056E919AB2A5D335DD14EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F729C8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cec1922d5b65713e47d676a535f8c7c4c05aa548651ef68ce28af95989d627b
Instruction ID: 06191987700fc610ace43cfd10831f451e3401a4d8cd5f11481bc269c3e9c6eb
Opcode Fuzzy Hash: 7cec1922d5b65713e47d676a535f8c7c4c05aa548651ef68ce28af95989d627b
Instruction Fuzzy Hash: 50313631F083454FDB51A7B5980829E7FB2DB81310F018477E94DCB346EE388C068792

Uniqueness

Uniqueness Score: -1.00%

Function 00F73C88, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb3ea5c329e2fb319d2711dc265f99ca30b031829121debbdc257a43cadce16
Instruction ID: c1c1b32ed6abe5b026745e0756d5bd86c8049df90f611c3480f6bffd14f67430
Opcode Fuzzy Hash: 1cb3ea5c329e2fb319d2711dc265f99ca30b031829121debbdc257a43cadce16
Instruction Fuzzy Hash: EC212830B043445FCB42EBB8D8545AE7BF1EF8A200B50C4A6E14DE7396DB349D069761

Uniqueness

Uniqueness Score: -1.00%

Function 0107D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910655854.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9ba19a74f3f3b099cc72545d0d06513ee6da16ce6652de28c18cdb1a58c695
Instruction ID: f6a79b811c28f7c42f3f6afb6655ca8b729d939ce4db5523600aaedea3c7918e
Opcode Fuzzy Hash: 6b9ba19a74f3f3b099cc72545d0d06513ee6da16ce6652de28c18cdb1a58c695
Instruction Fuzzy Hash: A12125B1904240DFDB05DF54D9C0F2ABFA6FF88328F2485A9E9494F246C336D956CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0108D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910686268.000000000108D000.00000040.00000001.sdmp, Offset: 0108D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36f65cfa285bd4fef7988fcd7d725978ced531dd7136dc1404a20437f3a003b
Instruction ID: 4ff5cf8ee7e8edfb9d529777bdb193791793b45445062f01e6005764ea80aaa7
Opcode Fuzzy Hash: f36f65cfa285bd4fef7988fcd7d725978ced531dd7136dc1404a20437f3a003b
Instruction Fuzzy Hash: C92103B1508200DFDB15EF94D8C4B16BBA1FB84364F24CAA9E9C94B286C376D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F71148, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb27173e0d5d105a5fcdc6add193c1b49daa084fbfbdd59a4f5ae691a276a476
Instruction ID: 79b93c7afa8e70aca8fd9d83370730ac0bed2771da661abc23b29b0115aa8ac6
Opcode Fuzzy Hash: eb27173e0d5d105a5fcdc6add193c1b49daa084fbfbdd59a4f5ae691a276a476
Instruction Fuzzy Hash: 15218E20A4E3815FD30797298824A157FB5AB93214F5AC0F7D588CF6E7DA28CC0AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00F73E08, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306e24d26eabd04057f06932f98ee0d4663591eceb94ff1a53ba29c371c2ece4
Instruction ID: d13abbb7922e67ec344071c5d07734d255d95859f9a3c769e5249eaf716da945
Opcode Fuzzy Hash: 306e24d26eabd04057f06932f98ee0d4663591eceb94ff1a53ba29c371c2ece4
Instruction Fuzzy Hash: C321D530E052449FDB05DBA8D4147DE7BF2AF89314F1180AAE448AB391DB74DD09DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F74718, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70603c26d3032588ea29f70e299efe2ea7e1190c10165c4b64554af5f61621b
Instruction ID: 0b7c61b8fdab8f6d64854f62249b81c108a95b0d9c1d4a08f40aacdfb9ef949e
Opcode Fuzzy Hash: c70603c26d3032588ea29f70e299efe2ea7e1190c10165c4b64554af5f61621b
Instruction Fuzzy Hash: 6A110470F042008FC701EBB898097AE7BE5AF84310F1584B6E548D7346EF38C9068792

Uniqueness

Uniqueness Score: -1.00%

Function 00F7BA90, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f575dbf45ddad0b2807973622acbd45dfabf79eac3bcecc558e80ff5c65546b
Instruction ID: a440aa547fab56d13be22ecee1baff45289a6de7a4e4cd86249a9ec0796661dc
Opcode Fuzzy Hash: 0f575dbf45ddad0b2807973622acbd45dfabf79eac3bcecc558e80ff5c65546b
Instruction Fuzzy Hash: 08118431A00209DBDB10CF5CC885B5EBBA2AFC6324F04C556E8189B2A5D371E810D79A

Uniqueness

Uniqueness Score: -1.00%

Function 0107D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910655854.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: c5eb04536e73a371950133c7228ad3439de430a7b8b2303f68194ef77cd09492
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: 9611B176904280CFCB12CF54D5C4B16BFB2FF88324F2886A9D8494B616C336D556CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F713F1, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366762e1ae081269b9bbe1cc643d4a21c9e8fcc373a4cd4e91b3c93b5699b68d
Instruction ID: deb12c91e4d66156a7ba510e422ac584066c4f70b38035f52c29087b8d407252
Opcode Fuzzy Hash: 366762e1ae081269b9bbe1cc643d4a21c9e8fcc373a4cd4e91b3c93b5699b68d
Instruction Fuzzy Hash: 4F11A335F002158F8B90EFBCD885AAEB7F1FF88210754806AD14DE7354EB389D069B91

Uniqueness

Uniqueness Score: -1.00%

Function 0108D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910686268.000000000108D000.00000040.00000001.sdmp, Offset: 0108D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction ID: cefc06b33c1df540e34e82d6b751e53d9f2409cdda2534f989d689406bbb9d3b
Opcode Fuzzy Hash: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction Fuzzy Hash: 2E11BE75508280CFDB12DF54D5C4B15BBA1FB44324F28C6AAE8894B696C33AD44BCFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F73CE8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654bd088089b368a577c6fe02ffe7705efaf1e56036039eafa368cdc527d1ae3
Instruction ID: 6017c70d3527b2405b75dd897b7111060c6fc818b775db1d456ae188b14fc4ac
Opcode Fuzzy Hash: 654bd088089b368a577c6fe02ffe7705efaf1e56036039eafa368cdc527d1ae3
Instruction Fuzzy Hash: 84116575F002199F8B50EBB8D88599E77F5FF88210B508425D54EE7358EB349D029BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DAD0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12e01abe2a51347704a4822c8ab7380a80d888d91a5deff8053a501d174b355
Instruction ID: f63fed980ee29438aff73e90086758a4dec95bfd8a51e33e52c5ac88456bf039
Opcode Fuzzy Hash: c12e01abe2a51347704a4822c8ab7380a80d888d91a5deff8053a501d174b355
Instruction Fuzzy Hash: 59116535F002158FCF40EBBCD885A9EB7F5FF882117518425D149E7354EB349D028BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F71400, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebdf28d72745a5d86d25f9acf508d0983ccf06c20679ca3e1ae59a3b6bd3c470
Instruction ID: 0fccda2f021a2de969143aef428f0bc00421621a83d09ab97cbec22ad74e39db
Opcode Fuzzy Hash: ebdf28d72745a5d86d25f9acf508d0983ccf06c20679ca3e1ae59a3b6bd3c470
Instruction Fuzzy Hash: 0811A135F001149F8B90EBBCD885AAEB7F6FF882107508429D14AE7358EB389D069B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DACF, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d07fb00cdb80275d425fc54ce6a393bceb812b232c6e668449040635bfd4e5f
Instruction ID: 87337b0c626ad8d5c795dad5ee10bbadffde37037b05ecb0e949499969941dd9
Opcode Fuzzy Hash: 6d07fb00cdb80275d425fc54ce6a393bceb812b232c6e668449040635bfd4e5f
Instruction Fuzzy Hash: 72116535F001158FCF40EBBCD985AAE73F1FF882117518425D149E7358EB349D028B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F73ED5, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb03f0da89832c04e9f1539e66fc49c0ba58ba575d036242c07929bb8862dff
Instruction ID: 677c14c770039befcc67c51e7c0eb4b72c4649c56c4ba5d77e2338f46dccadbb
Opcode Fuzzy Hash: feb03f0da89832c04e9f1539e66fc49c0ba58ba575d036242c07929bb8862dff
Instruction Fuzzy Hash: FD115A70E01119EFCF09CFA8E4546DCBBB2AF89354F11806AE009A7351CB719E45EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F7B849, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec18d67cc8c9c802a2e32ecb1ee36abc3bef66e07759785996e7a65d4c2e2bc
Instruction ID: 8de1b140e464feee006be067fff2c2cbc8e89b1e8e841344799bdf072b934729
Opcode Fuzzy Hash: 8ec18d67cc8c9c802a2e32ecb1ee36abc3bef66e07759785996e7a65d4c2e2bc
Instruction Fuzzy Hash: 0301D076E002189FDF04DFD8D9409DEBBB6EF88310B01812AE909AB214D7349A19DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F74778, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025ffb63e6e4c9d2931c0f5ce9e80510d99952abf557c4b5b83571b78c602399
Instruction ID: 2f9be8b4f0017b5d5061853cf918a93e9277e260a30b7ea1cf29c058f1386171
Opcode Fuzzy Hash: 025ffb63e6e4c9d2931c0f5ce9e80510d99952abf557c4b5b83571b78c602399
Instruction Fuzzy Hash: 7DF08275F002189B8B50EBB958147AF7AE9AB88360B100575D649E3344EF38890287E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F746B7, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7f0361fcbc118dcf64180074ac0b26a7fec1b0cbd644096dbda678b67a7322
Instruction ID: 1914ececdf08abd8e55b294d9230d1f4c053af9408d03eb9e208e48ad47fffe1
Opcode Fuzzy Hash: ad7f0361fcbc118dcf64180074ac0b26a7fec1b0cbd644096dbda678b67a7322
Instruction Fuzzy Hash: BFE06D3AB041148B8F00FBB8D4848DD73F2EBC8214B108061E10AE7398DE389C038B62

Uniqueness

Uniqueness Score: -1.00%

Function 00F7145F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7faea12412e2ee4e9e72d4f18957f83940abd50dd1c415697083d03caaac13e8
Instruction ID: ec6765d7b781708d8499ccc15bc3bf5f4444eb27d1f82d2a1cd3d343350d00bd
Opcode Fuzzy Hash: 7faea12412e2ee4e9e72d4f18957f83940abd50dd1c415697083d03caaac13e8
Instruction Fuzzy Hash: 12E06D36B041148B8F10EBF8D4858DD73F2FBC82147004061E10AE7358DE389C428B61

Uniqueness

Uniqueness Score: -1.00%

Function 00F73D47, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8922312b1340c6d5b4fddaf91ce3ee2ccacf3ff573476e13c62819179e82b0
Instruction ID: a4fb30cdc307214658fd4e02161f6c06a5bc15052d803bc0f5da2bdf8a565f18
Opcode Fuzzy Hash: 4b8922312b1340c6d5b4fddaf91ce3ee2ccacf3ff573476e13c62819179e82b0
Instruction Fuzzy Hash: F6E06D36B041148B8F10E7F8E4844DD73E2FBC8214B508461E10AE7358DE389D038B61

Uniqueness

Uniqueness Score: -1.00%

Function 00F7DB2F, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.910333991.0000000000F70000.00000040.00000001.sdmp, Offset: 00F70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99eebcf7c19ac598d183ed13ea22ccc7b1561c640c27f8484df24208cf09a9ac
Instruction ID: 90f7bdf75f8db00f36a5a1f60f421652abc6c9c1aa1786a0e7353a6d666700c1
Opcode Fuzzy Hash: 99eebcf7c19ac598d183ed13ea22ccc7b1561c640c27f8484df24208cf09a9ac
Instruction Fuzzy Hash: BFE06D36B041148B8F00EBB8D4858DD73F2EFC82257414061E10AE7358EE389C128BA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: AlxpSuW.exe PID: 6564 Parent PID: 3424 AlxpSuW.exeCOMMON

Executed Functions

Function 06B60500, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

n._, xrefs: 06B605A6

Memory Dump Source

Source File: 00000009.00000002.752487658.0000000006B60000.00000040.00000001.sdmp, Offset: 06AF0000, based on PE: true

Associated: 00000009.00000002.752379579.0000000006AF0000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID: n._
API String ID: 0-445688771
Opcode ID: 6429e1f83a32c42ffcb23559d58b776ad5c2bc30e6e992f898a47d954705280f
Instruction ID: 544ca4a48d573b5c1da095d4d6edea0f8cb10e71ce4e8af96977d63fa360d5c0
Opcode Fuzzy Hash: 6429e1f83a32c42ffcb23559d58b776ad5c2bc30e6e992f898a47d954705280f
Instruction Fuzzy Hash: BD5118B0E042198FDB48DFAAC5506AEFBF2FF88300F14C16AE519B7254D7788A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 06B60EB0, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.752487658.0000000006B60000.00000040.00000001.sdmp, Offset: 06AF0000, based on PE: true

Associated: 00000009.00000002.752379579.0000000006AF0000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ad6dff8eaf7d8256d1eb9fd4da314c341715c94acdf0e19d0ada7370ab1d79
Instruction ID: 28210df023ed140680fa8cd0c5cadc627de7d53a45ceb9b0fae34fb4f44c5978
Opcode Fuzzy Hash: 05ad6dff8eaf7d8256d1eb9fd4da314c341715c94acdf0e19d0ada7370ab1d79
Instruction Fuzzy Hash: 0921C5B1E006188BDB18CFABD9447DEBBB3AFC8310F14C16AD509AA258DB7519558F90

Uniqueness

Uniqueness Score: -1.00%

Function 00F46A40, Relevance: 6.1, APIs: 4, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00F46AB0
GetCurrentThread.KERNEL32 ref: 00F46AED
GetCurrentProcess.KERNEL32 ref: 00F46B2A
GetCurrentThreadId.KERNEL32 ref: 00F46B83

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5822b20f3d94a70c7f056a843a055fb53c6e67312c69a51d77cc8e9c7298dda6
Instruction ID: f52033cc8cf2d4a8373df5201b1ca43723e4fbd313931b46c833fa44dd8697ea
Opcode Fuzzy Hash: 5822b20f3d94a70c7f056a843a055fb53c6e67312c69a51d77cc8e9c7298dda6
Instruction Fuzzy Hash: CE6186B09002498FCB04CFA9D988BDEBFF1FF8A314F248469E419A7291D7746944CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00F46A50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00F46AB0
GetCurrentThread.KERNEL32 ref: 00F46AED
GetCurrentProcess.KERNEL32 ref: 00F46B2A
GetCurrentThreadId.KERNEL32 ref: 00F46B83

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 68edfcecd7133eaac12c4b3f7fcfae27fa0685d858fe93c1f7a354f46904cf2f
Instruction ID: fe92aad506beb5f684d54d31a183cd0630e256ef76dcd41a35daf0b102bee641
Opcode Fuzzy Hash: 68edfcecd7133eaac12c4b3f7fcfae27fa0685d858fe93c1f7a354f46904cf2f
Instruction Fuzzy Hash: 945144B09006498FDB14CFA9D988BEEBBF0FF8A314F248469E419A7350D7746944CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00F4BA50, Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F4BCA6

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 319edeb5beaee98e2910b5d32f2f1e7908d208c8bdbc3e28f49b961d8a605639
Instruction ID: e31588a9903393f63c2926a5a4b39f1f6d4e14812c0c8a0dd5f33cfdf4ea8979
Opcode Fuzzy Hash: 319edeb5beaee98e2910b5d32f2f1e7908d208c8bdbc3e28f49b961d8a605639
Instruction Fuzzy Hash: 98813570A00B058FD724DF29C44579ABBF1FF88314F00892DD88ADBA52D779E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F4DF0D, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F4E02A

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 66012c109d409f670b6753fae1993362f688c4e28cc3d7438962946ae1b48831
Instruction ID: 755c879aa3f6be104a707eb7c07fc1f2cd809feccdd2d20caac5cdff929794f3
Opcode Fuzzy Hash: 66012c109d409f670b6753fae1993362f688c4e28cc3d7438962946ae1b48831
Instruction Fuzzy Hash: FD51B1B1D00349EFDB14CFA9C884ADEBFB1BF48314F24852AE819AB250D7B59945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F4DF18, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F4E02A

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 751dc084cb5f53b53b57ea39b5cdb8d5264dcb441dca5653e91f3d54c123a6eb
Instruction ID: 13a7a5eb865f3da14ea0811ec907f8748a9408a90d3f0570a8470ab0c1c60f28
Opcode Fuzzy Hash: 751dc084cb5f53b53b57ea39b5cdb8d5264dcb441dca5653e91f3d54c123a6eb
Instruction Fuzzy Hash: A94190B1D00309EFDB14CF99C884ADEBFB5BF48314F64852AE819AB210D7B5A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04D43D34, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04D43DF1

Memory Dump Source

Source File: 00000009.00000002.749125168.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8fc7d61925a98ccdc844e09f50d19ac61f6ab7f650cc0f78e6fb1141176163aa
Instruction ID: 14d5cde4746c7f15ef9d444f4eff4b06c31c92ef70c6f948ffd1c6bac96b92cf
Opcode Fuzzy Hash: 8fc7d61925a98ccdc844e09f50d19ac61f6ab7f650cc0f78e6fb1141176163aa
Instruction Fuzzy Hash: 5D411371D04219CFDB24CFA9C8847DEBBF1BF88318F24816AD508AB251D7B5694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F47009, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F47107

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ec7f9a8506ad3b33a05e5b75df3daa9053036ee2bf33144ea9ad7c58a7704a1e
Instruction ID: 501bbf9f60df39fa1bfd761ec100db6764f8405fa068670a1b0667f14b175737
Opcode Fuzzy Hash: ec7f9a8506ad3b33a05e5b75df3daa9053036ee2bf33144ea9ad7c58a7704a1e
Instruction Fuzzy Hash: B4418876900248AFCB01CFA9D844AEEBFF5FB89310F08806AF904A7361C3759914DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D42354, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04D43DF1

Memory Dump Source

Source File: 00000009.00000002.749125168.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bd8ca4e450271acbe44ef25d665daa5c1e5c68c9f04ebf324a45b3ff5d5303d9
Instruction ID: 021221ccb57915da99da4e1818bbd2ed013dcac399ad769f741af30553d305a9
Opcode Fuzzy Hash: bd8ca4e450271acbe44ef25d665daa5c1e5c68c9f04ebf324a45b3ff5d5303d9
Instruction Fuzzy Hash: C8410271D0421CCFDB24DFA9C8847DEBBB1BF88304F108169D409AB241D7B5694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 04D40CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04D40D91

Memory Dump Source

Source File: 00000009.00000002.749125168.0000000004D40000.00000040.00000001.sdmp, Offset: 04D40000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5c60af4fdcd572ebbde2f800bba0d7bf4b667a62d44d1f8a6dbe527c22a6c485
Instruction ID: 938e8264fc172ff94ccced3989eb34db90b6e8cb59ffccee261d329e7685590f
Opcode Fuzzy Hash: 5c60af4fdcd572ebbde2f800bba0d7bf4b667a62d44d1f8a6dbe527c22a6c485
Instruction Fuzzy Hash: BD4146B5A00209CFCB14CF99C488AAABBF5FF89314F248459E519AB721D374A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F47078, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F47107

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 11e3cd5276515b64d9911f626031f1b772fb7ab8626af49d8a9878dc9f18587a
Instruction ID: 7187322d925bbf596229f00788e67ed44eae4ffd3ebc76e03d2b87ec1cf5927e
Opcode Fuzzy Hash: 11e3cd5276515b64d9911f626031f1b772fb7ab8626af49d8a9878dc9f18587a
Instruction Fuzzy Hash: 332103B59002489FDB10CFA9D484AEEBFF4FF48324F14842AE954A3310D374A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00F47080, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F47107

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 480cd6308386e85986c0d94eac7d5bd4f63c88738dc9b5dfdd1c6d2cc5a66484
Instruction ID: a12c8ebc588b9de3a90232421c1641b29bc100968d0a1343bcecbd205fb7a66e
Opcode Fuzzy Hash: 480cd6308386e85986c0d94eac7d5bd4f63c88738dc9b5dfdd1c6d2cc5a66484
Instruction Fuzzy Hash: 7421E2B5900248AFDB10CFAAD884ADEBFF8FB48324F14841AE954A3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A998, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F4BD21,00000800,00000000,00000000), ref: 00F4BF32

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6d7d1d088246b6b733af4da6d65ae1df316f9fd489ad88cb96ba7820449fa909
Instruction ID: 569593230cadb375d14472570c3c9ffc7355fd3223051b732469e1a08bad0fb2
Opcode Fuzzy Hash: 6d7d1d088246b6b733af4da6d65ae1df316f9fd489ad88cb96ba7820449fa909
Instruction Fuzzy Hash: B811E7B6D042499FDB10CF9AD444BDEFBF4EB88324F14842EE919A7601C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4BEC0, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F4BD21,00000800,00000000,00000000), ref: 00F4BF32

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ccb88e87fdc5590fb006402a9552710af4889283c74bfd09dd5259f5bfbf3309
Instruction ID: b3a8cdb37f070cc6d2051e6fdfd64ebfdd042e7b77ed9b17ed789c6229b8bc84
Opcode Fuzzy Hash: ccb88e87fdc5590fb006402a9552710af4889283c74bfd09dd5259f5bfbf3309
Instruction Fuzzy Hash: CE112CB6C042499FCB10CFA9C444ADEFBF4FB48324F14851ED859A7600C3759949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4DB34, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 00F4E1BD

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2412815415739bf5dc4da8479c99feafc573abc06a5ea3e793eb6c1c9601ff67
Instruction ID: 5ef96507d998c9bdbf12e94050ab6e6a5e0224ccf78eb6f28edf1f2412d3d0fe
Opcode Fuzzy Hash: 2412815415739bf5dc4da8479c99feafc573abc06a5ea3e793eb6c1c9601ff67
Instruction Fuzzy Hash: BC11F2B59042099FDB10CF99D488BEEBBF8FB88324F14841AE955A7700C3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4BC40, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F4BCA6

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 43c6b7da33b3c6c09d72ac681bae8abba132f8bc8064d606e28cb99134d6490c
Instruction ID: f3eca503a6a44aa613594dc0bfefccf597366bf58b41f02816ed60bcfb759eea
Opcode Fuzzy Hash: 43c6b7da33b3c6c09d72ac681bae8abba132f8bc8064d606e28cb99134d6490c
Instruction Fuzzy Hash: 8611E3B6C002498FCB10CF9AD484BDEFBF4EB89324F14841AD969B7601D775A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DC1A0E, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06DC1A6D

Memory Dump Source

Source File: 00000009.00000002.752583611.0000000006DC0000.00000040.00000001.sdmp, Offset: 06DC0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cf68feb0fe90763d25d67f9f626e4e4933c8a5bbd5aa6c257b62343f7bcb91ac
Instruction ID: d63b65eae330626b989d26867ffc7e83ff10c490f91e8b6f8c127c6cc88e5b7d
Opcode Fuzzy Hash: cf68feb0fe90763d25d67f9f626e4e4933c8a5bbd5aa6c257b62343f7bcb91ac
Instruction Fuzzy Hash: 1411C2B58002599FDB10CF99D889BDEBBF8EB88324F148419E555A7600C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06DC1A10, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06DC1A6D

Memory Dump Source

Source File: 00000009.00000002.752583611.0000000006DC0000.00000040.00000001.sdmp, Offset: 06DC0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ab88afa8f0d74c9d96963079d71a419b2809caeb0c0537f72e6250acc06d8d3b
Instruction ID: 207b1b066b6caa7642e1a2f50b3978e6dd627ebda55738ee7714925f03a17e2d
Opcode Fuzzy Hash: ab88afa8f0d74c9d96963079d71a419b2809caeb0c0537f72e6250acc06d8d3b
Instruction Fuzzy Hash: E511D3B58003599FDB10CF99D888BDEBBF8FB48324F148419E555A7600C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F4E159, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 00F4E1BD

Memory Dump Source

Source File: 00000009.00000002.739985219.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 795ec9a72de1bc9ca59419dbf424e0bbb4e7460492f9f17b31c98e61c758bcb5
Instruction ID: 8801ce1c7d933733d0c394753b35ed4a29aea6159daf694b53aa8dd61cad8300
Opcode Fuzzy Hash: 795ec9a72de1bc9ca59419dbf424e0bbb4e7460492f9f17b31c98e61c758bcb5
Instruction Fuzzy Hash: AA1115B5900209CFDB10CF99D484BDEBBF5FB88324F14841AD959A3740C3B4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06B607E0, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.752487658.0000000006B60000.00000040.00000001.sdmp, Offset: 06AF0000, based on PE: true

Associated: 00000009.00000002.752379579.0000000006AF0000.00000004.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f5204a88c8fe07391b78ed3fafb73a9f27a660508d4541e0ea2b35581d84167
Instruction ID: b44a4bf8fe0db43f430eca0d3043ae4d0adb5577d4d5094d3a57cb18c8f65bcf
Opcode Fuzzy Hash: 5f5204a88c8fe07391b78ed3fafb73a9f27a660508d4541e0ea2b35581d84167
Instruction Fuzzy Hash: 3621E7B0E04219DFCB44DF9AC54059EBBF2FF88300F14C5A9D518A7325E7349A418B91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: AlxpSuW.exe PID: 7044 Parent PID: 6564 AlxpSuW.exeCOMMON

Executed Functions

Function 030D695F, Relevance: 6.1, APIs: 4, Instructions: 145threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 030D69E0
GetCurrentThread.KERNEL32 ref: 030D6A1D
GetCurrentProcess.KERNEL32 ref: 030D6A5A
GetCurrentThreadId.KERNEL32 ref: 030D6AB3

Memory Dump Source

Source File: 0000000A.00000002.910821513.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0129fc6be882ed8c5fe412975a515bbca1c05cab7c813fad5b882886cb5206e7
Instruction ID: 20694e441979016fbdc29c2994be3ba2453a8f755b21da36a5642efbd987f5bf
Opcode Fuzzy Hash: 0129fc6be882ed8c5fe412975a515bbca1c05cab7c813fad5b882886cb5206e7
Instruction Fuzzy Hash: 7E5164B09053888FDB10CFA9C58879EFFF1AF9A304F1484AEE449A7251D7759944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 030D6980, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 030D69E0
GetCurrentThread.KERNEL32 ref: 030D6A1D
GetCurrentProcess.KERNEL32 ref: 030D6A5A
GetCurrentThreadId.KERNEL32 ref: 030D6AB3

Memory Dump Source

Source File: 0000000A.00000002.910821513.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 35eb1b97d13db3c3cedeb1171d910d920a81d28904afe85dfc987b53f5606b48
Instruction ID: 12eab7c617098ab0ad759a6e5b911b800652349b1fca810e4093e88e17b4467d
Opcode Fuzzy Hash: 35eb1b97d13db3c3cedeb1171d910d920a81d28904afe85dfc987b53f5606b48
Instruction Fuzzy Hash: 725130B0A012498FDB10CFA9C588B9EBFF1BF89314F24846EE459A7350CB75A844CF65

Uniqueness

Uniqueness Score: -1.00%

Function 030D504F, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

T, xrefs: 030D5059

Memory Dump Source

Source File: 0000000A.00000002.910821513.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Similarity

API ID:
String ID: T
API String ID: 0-3187964512
Opcode ID: bcb8720df27b44e7efc1789a5f5699248d25c5f8831a38e23112d3efa9ca0654
Instruction ID: 7fd4d02dad981fad0ddf9f07544e9f015cf1f1f8dd672b5b8f5cbd3ec6d90f94
Opcode Fuzzy Hash: bcb8720df27b44e7efc1789a5f5699248d25c5f8831a38e23112d3efa9ca0654
Instruction Fuzzy Hash: 4D6101B1C05348AFDF02CFA9C884ADDBFF5AF4A314F19816AE818AB221D7719855CF51

Uniqueness

Uniqueness Score: -1.00%

Function 030D50D0, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030D51E2

Memory Dump Source

Source File: 0000000A.00000002.910821513.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: df34e58caff08d4705d3c96270af19c5e33d82dc0707a6c754d17f69c871aaf5
Instruction ID: f9d0bf35e673a6dc7c91fafaa3b496ef3cc8581803472f1b621a897866c26606
Opcode Fuzzy Hash: df34e58caff08d4705d3c96270af19c5e33d82dc0707a6c754d17f69c871aaf5
Instruction Fuzzy Hash: AB41CDB1D113099FDB14CF99C884ADEBBF5BF89314F24852AE819AB210D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 030D77DC, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 030D7F41

Memory Dump Source

Source File: 0000000A.00000002.910821513.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 1141cdaa8fc9f749f2cdcb707f9e19d7622df35dee758c6ccf4de494a3c350ed
Instruction ID: 5381bc8a7640b90374038e1fa149ab52306051212e081eebe368ff34201899c2
Opcode Fuzzy Hash: 1141cdaa8fc9f749f2cdcb707f9e19d7622df35dee758c6ccf4de494a3c350ed
Instruction Fuzzy Hash: 5F4156B5A00309CFDB14CF99C488BAABBF5FF88714F148459E519AB320D770A941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 030D6BA3, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030D6C2F

Memory Dump Source

Source File: 0000000A.00000002.910821513.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 09c0a7c4a231f330f106b5106be415b4b442c5cb51adcf220b917037197018aa
Instruction ID: a89a3016640bdb40a4667e119df02d5a634f387c010841bbfae1ab3f146124bd
Opcode Fuzzy Hash: 09c0a7c4a231f330f106b5106be415b4b442c5cb51adcf220b917037197018aa
Instruction Fuzzy Hash: AF21E3B59012089FDB10CF99D884ADEBBF8FB48324F54841AE914B3310D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 030D6BA8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030D6C2F

Memory Dump Source

Source File: 0000000A.00000002.910821513.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 24270e1de9b7407cc2c1b92b8a73e5051509be355a428117a54aab33e3c82676
Instruction ID: df5e37f3ece3df9c34bc9cf6a754636908eb873982435ce44bd88496d7c8d106
Opcode Fuzzy Hash: 24270e1de9b7407cc2c1b92b8a73e5051509be355a428117a54aab33e3c82676
Instruction Fuzzy Hash: 9321E2B59012089FDB10CFA9D884AEEFBF8FB48324F14841AE914B3310D375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 030DC1E1, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 030DC262

Memory Dump Source

Source File: 0000000A.00000002.910821513.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: aa32efa9a6cb34228946f4b6598c63a359468316374f2db3434453c92a6df33a
Instruction ID: 87c6c9488fb1337f88565fdeda104ae380a376f90782d2fd38c88246a756458c
Opcode Fuzzy Hash: aa32efa9a6cb34228946f4b6598c63a359468316374f2db3434453c92a6df33a
Instruction Fuzzy Hash: 742189B09013598FDB10DFA9D9497AEBFF8FB4A324F14882AE519B3640C7386504CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 030DC1E8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 030DC262

Memory Dump Source

Source File: 0000000A.00000002.910821513.00000000030D0000.00000040.00000001.sdmp, Offset: 030D0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: aa9a3753f064a010632936baf6fac8729c00b9c68c1b370e45f3195d15bfc390
Instruction ID: 6b1c7ad4c8d27a441b0bdcd1984491a8f27babfab60e38b8a7c41f6f9d0be8f1
Opcode Fuzzy Hash: aa9a3753f064a010632936baf6fac8729c00b9c68c1b370e45f3195d15bfc390
Instruction Fuzzy Hash: 3D1189B09013098FDB10CFA9D94879EBFF8FB4A324F148829D519A3640C7796944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report DUBAI CHEMEX REGA.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre